A critical vulnerability has been identified in the z-push/z-push-dev software package, a component used for synchronizing data. This flaw, a SQL Injection, could allow a remote attacker to manipulate the application's backend database, potentially leading to a complete compromise of stored data. Given the critical severity, immediate action is required to prevent unauthorized access, data theft, or service disruption.

The vulnerability is a SQL Injection flaw located in the IMAP backend of the z-push/z-push-dev package. The application fails to properly sanitize or parameterize user-supplied input when constructing SQL queries. An unauthenticated remote attacker can exploit this by sending specially crafted requests to the application, embedding malicious SQL commands within the input parameters to be processed by the IMAP backend. Successful exploitation allows the attacker to execute arbitrary SQL queries against the underlying database, enabling them to read, modify, or delete sensitive data, and potentially achieve further system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9. A successful exploit could have a severe business impact, leading to a significant data breach. Attackers could exfiltrate sensitive information managed by the Z-Push application, such as emails, contacts, and calendar data. This breach of confidentiality and integrity can result in direct financial loss, severe reputational damage, loss of customer trust, and potential regulatory fines under data protection laws like GDPR. The risk is the complete loss of control over the data managed by the affected application.

Immediate Action: Organizations must immediately upgrade the z-push/z-push-dev package to version 2.7.6 or later, which contains the patch for this vulnerability. After patching, it is crucial to review application and database access logs for any signs of compromise or suspicious activity that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on the affected systems. Security teams should look for anomalous SQL queries in database logs, particularly those containing common SQL injection syntax like UNION SELECT, 'OR 1=1, or sleep/benchmark commands. Network traffic to and from the application server should be monitored for unusual patterns or large, unexpected data transfers.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL Injection attacks. Additionally, restrict network access to the vulnerable application endpoint, allowing connections only from trusted IP addresses. Ensure the database user account used by the application operates under the principle of least privilege to limit the potential impact of a successful exploit.

Public Exploit Available: false

Given the critical CVSS score of 9, this vulnerability presents a significant and immediate risk to the organization. The potential for a complete data compromise necessitates urgent action. We strongly recommend that all affected instances of z-push/z-push-dev be patched to version 2.7.6 or later immediately. While there is no current evidence of exploitation in the wild, the severity of this flaw makes it a highly attractive target for attackers. Prioritize this patch above lower-severity vulnerabilities and implement the recommended compensating controls and monitoring where patching is delayed.