CVE-2023-50439

Vulnerability

ZED containers (.ZED files) produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission), ZED! for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission) and before 2023.5, and ZEDMAIL for Windows before 2023.5 retain the original file system path where the container was created. This metadata is stored unencrypted and is accessible to anyone who obtains the container file.

Exploitation

An unauthenticated attacker with network access to a .ZED container file can analyze it to extract the original creation path. No special privileges or user interaction are required. The attacker simply needs to obtain a container (e.g., via file sharing or network traversal) and parse its metadata.

Impact

Successful exploitation discloses the context in which the container was used, such as project names, directory structures, or other sensitive information derived from the original path. This represents a low confidentiality impact with no effect on integrity or availability.

Mitigation

Upgrade to a fixed version as listed in the vendor advisory [2]: ZED! Enterprise for Windows Q.2020.3, Q.2021.2, or minimal version 2023.5; ZONECENTRAL for Windows Q.2021.2 or minimal version 2023.5; ZEDMAIL for Windows minimal version 2023.5. No workaround is available; users should apply the update.