cbcvebase.
CVE-2019-6991
published 2019-01-28

CVE-2019-6991: A classic Stack-based buffer overflow exists in the zmLoadUser() function in zm_user.cpp of the zmu binary in ZoneMinder through 1.32.3, allowing an…

PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.31%
87.0th percentile
A classic Stack-based buffer overflow exists in the zmLoadUser() function in zm_user.cpp of the zmu binary in ZoneMinder through 1.32.3, allowing an unauthenticated attacker to execute code via a long username.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianzoneminder< zoneminder 1.32.3-2 (bookworm)zoneminder 1.32.3-2 (bookworm)
zoneminderzoneminder<= 1.32.3
zoneminderzoneminder>= 0 < 1.32.3-21.32.3-2
zoneminderzoneminder>= 0 < 1.32.3-21.32.3-2
zoneminderzoneminder>= 0 < 1.32.3-21.32.3-2
zoneminderzoneminder>= 0 < 1.32.3-21.32.3-2
zoneminderzoneminder>= 0 < 1.29.0+dfsg-1ubuntu2+esm11.29.0+dfsg-1ubuntu2+esm1
zoneminderzoneminder>= 0 < 1.32.3-2ubuntu2+esm11.32.3-2ubuntu2+esm1
zoneminderzoneminder>= 0 < 1.36.12+dfsg1-1ubuntu0.1~esm11.36.12+dfsg1-1ubuntu0.1~esm1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via a long username string passed to the zmLoadUser() function in zm_user.cpp of the zmu binary — monitor for abnormally long username inputs to ZoneMinder's zmu binary
  • Target function is zmLoadUser() in zm_user.cpp within the zmu binary of ZoneMinder — focus code/binary analysis and runtime monitoring on this specific function and binary
  • ·Affected versions are ZoneMinder through 1.32.3; Debian packages fixed in version 1.32.3-2 across bookworm, bullseye, forky, sid, and trixie
  • ·The vulnerability is exploitable by unauthenticated attackers, meaning no credentials are required to trigger the stack-based buffer overflow

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.