CVE-2023-24032: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A local privilege escalation (LPE) vulnerability was discovered in Zimbra Collaboration Suite through versions 9.0 and 8.8.15. The vulnerability (CVE-2023-24032) was disclosed on June 15, 2023, and allows an attacker with initial user access to a Zimbra server instance to execute commands as root by manipulating JVM arguments (NVD).

The vulnerability is classified as a command injection vulnerability (CWE-77) with a CVSS v3.1 base score of 7.8 (HIGH). The attack vector is local, requires low attack complexity, needs low privileges, and no user interaction. The scope is unchanged, with high impact on confidentiality, integrity, and availability (NVD).

If successfully exploited, the vulnerability allows an attacker to elevate their privileges to root level, potentially gaining complete control over the affected system. This could lead to unauthorized access to sensitive data, system modification, and service disruption (NVD).

The vulnerability has been addressed in subsequent patches. Organizations running affected versions of Zimbra Collaboration Suite should upgrade to the latest patched version. The fix involves strengthening security by disallowing usage of certain JVM arguments in the mailbox manager (Zimbra Security).