CVE-2022-39289 — Sensitive Information Exposure in Zoneminder

CWE-200 — Sensitive Information Exposure CWE-287 — Improper Authentication CWE-862 — Missing Authorization3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 41.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedOct 7

Description

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/zoneminder< zoneminder 1.36.31+dfsg1-1 (bookworm)

▶CVEListV5zoneminder/zoneminder< 1.36.27+1

▶NVDzoneminder/zoneminder1.37.0 — 1.37.24+1

▶Debianzoneminder/zoneminder< 1.36.31+dfsg1-1+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-39289: ZoneMinder is a free, open source Closed-circuit television software application↗2022-10-07

▶

📋Vendor Advisories

Debian

CVE-2022-39289: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...↗2022

▶