CVE-2022-39289

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4	Patch Third Party Advisory
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zoneminder:zoneminder::::::::
	cpe:2.3:a:zoneminder:zoneminder::::::::

History

14 Jul 2023, 18:13

Type	Values Removed	Values Added
CWE	CWE-200 CWE-287	CWE-862

11 Oct 2022, 13:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:zoneminder:zoneminder::::::::
First Time		Zoneminder Zoneminder zoneminder
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(CONFIRM) https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488 -~~	(CONFIRM) https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488 - Exploit, Patch, Third Party Advisory
References	~~(MISC) https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4 -~~	(MISC) https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4 - Patch, Third Party Advisory

08 Oct 2022, 00:57

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-07 21:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-39289

Mitre link : CVE-2022-39289

CVE.ORG link : CVE-2022-39289

JSON object : View

Products Affected

zoneminder

zoneminder

CWE

CWE-862

Missing Authorization

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-287

Improper Authentication

{"id": "CVE-2022-39289", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2022-10-07T21:15:11.553", "references": [{"url": "https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging."}, {"lang": "es", "value": "ZoneMinder es una aplicaci\u00f3n de software de televisi\u00f3n en circuito cerrado, gratuita y de c\u00f3digo abierto. En las versiones afectadas, la API de ZoneMinder expone el contenido de los registros de la base de datos a usuarios no privilegiados, y permite una inserci\u00f3n, modificaci\u00f3n y eliminaci\u00f3n de registros no privilegiados de sistema. Es recomendado a usuarios actualizar lo antes posible. Los usuarios que no puedan actualizarse deber\u00e1n deshabilitar el registro de la base de datos"}], "lastModified": "2023-07-14T18:13:15.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71924B40-1B96-4D20-AF19-51DA9D41B216", "versionEndIncluding": "1.36.27"}, {"criteria": "cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C6BB71F-F044-465B-A7F4-C2F11E8AA8A3", "versionEndExcluding": "1.37.24", "versionStartIncluding": "1.37.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}