Information disclosure in zoneminder (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-10140 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM Tivoli Storage Manager Server applications / File servers (FTP/HTTP) libgcrypt (Alpine package) Operating systems & Components / Operating system package or component zoneminder (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor |
IBM Corporation Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU33060
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-10140
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Tivoli Storage Manager: 5.4.3.0
libgcrypt (Alpine package): 2.8.3
libgcrypt (Alpine package): 3.2.0-1
libgcrypt (Alpine package): 0.2.8-0ubuntu1
libgcrypt (Alpine package): 0.1.17 - 0.1.17.1
libgcrypt (Alpine package): 1.17.0
libgcrypt (Alpine package): 20101020ubuntu334 - 20101020ubuntu335
zoneminder (Alpine package): 1.1.20-1
zoneminder (Alpine package): 2.1.22.dfsg1-21
libgcrypt (Alpine package): 1.5.3-2.15
libgcrypt (Alpine package): 11ubuntu2
libgcrypt (Alpine package): 3.0pl1-124ubuntu2
libgcrypt (Alpine package): 8.13-3.2ubuntu2 - 8.13-3.2ubuntu3
libgcrypt (Alpine package): 0.4.1-4
libgcrypt (Alpine package): 1.23
libgcrypt (Alpine package): 1:0.8.6-0ubuntu2
libgcrypt (Alpine package): 0.4.1-2
libgcrypt (Alpine package): 2.8.12.1-1.3
libgcrypt (Alpine package): 0.21ubuntu1
libgcrypt (Alpine package):
libgcrypt (Alpine package): before 1.6.6-r0
zoneminder (Alpine package): before 1.30.2-r0
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_tivoli_storage_manager:5.4.3.0:*:*:*:*:*:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:2.8.3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:3.2.0-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.2.8-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.1.17:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.1.17.1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1.17.0:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:20101020ubuntu334:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:20101020ubuntu335:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:zoneminder_alpine_package:1.1.20-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:zoneminder_alpine_package:2.1.22.dfsg1-21:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1.5.3-2.15:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:11ubuntu2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:3.0pl1-124ubuntu2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:8.13-3.2ubuntu2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.4.1-4:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1.23:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1:0.8.6-0ubuntu2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.4.1-2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:2.8.12.1-1.3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.21ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package::*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:*:*:*:*:*:alpine_linux:*:3.1
- cpe:2.3:o:alpine:zoneminder_alpine_package:*:*:*:*:*:alpine_linux:*:3.4
https://git.alpinelinux.org/aports/commit/?id=324d2ab366311bfe36c0f674594330bc7290fec5
https://git.alpinelinux.org/aports/commit/?id=5aeeee9343fdca5daa5b325ab5e19f228071dd3f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
