CVE-2017-5595 — Sensitive Information Exposure in Zoneminder

CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.2%

top 56.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedFeb 6

Latest updateMay 17

Description

A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/zoneminder< zoneminder 1.30.4+dfsg-1 (bookworm)

▶Debianzoneminder/zoneminder< 1.30.4+dfsg-1+3

▶NVDzoneminder/zoneminder1.30.0

Patches

Patch: seclists.org ↗Patch: seclists.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-88gp-83c5-44hg: A file disclosure and inclusion vulnerability exists in web/views/file↗2022-05-17

▶

OSV

CVE-2017-5595: A file disclosure and inclusion vulnerability exists in web/views/file↗2017-02-06

▶

📋Vendor Advisories

Debian

CVE-2017-5595: zoneminder - A file disclosure and inclusion vulnerability exists in web/views/file.php in Zo...↗2017

▶

💬Community

Bugzilla

CVE-2017-5595 zoneminder: File disclosure due to unfiltered user-input↗2017-02-06

▶

Bugzilla

CVE-2017-5595 zoneminder: File disclosure due to unfiltered user-input [fedora-all]↗2017-02-06

▶