Security features bypass in ZoneMinder

#VU68392 Security features bypass in ZoneMinder

Published: 2022-10-18

Vulnerability identifier: #VU68392

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-39289

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ZoneMinder
Other software / Other software solutions

Vendor: ZoneMinder.com

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a flaw in which the API exposes database log contents to user without privileges. A remote attacker can bypass security restrictions and insert, modify or delete log files.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ZoneMinder: 1.36.26 - 1.37.23

External links
http://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4
http://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in ZoneMinder