Remote Code Execution Vulnerability in ZoneMinder by ZoneMinder Developers
CVE-2022-29806

9.8CRITICAL

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 26 April 2022

What is CVE-2022-29806?

ZoneMinder versions prior to 1.36.13 have a vulnerability that allows remote code execution through improper handling of invalid language configurations. This flaw enables an attacker to create a debug log file at arbitrary paths, thereby increasing the risk of exploitation. It is imperative for users of ZoneMinder to upgrade to the latest version to mitigate this security risk.

References

https://forums.zoneminder.com/viewtopic.php?t=31638

x_refsource_MISC

https://github.com/ZoneMinder/zoneminder/releases/tag/1.3...

x_refsource_MISC

https://github.com/ZoneMinder/zoneminder/commit/9fee64b62...

x_refsource_MISC

EPSS Score

87% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 26, 2022
Vulnerability Reserved
Apr 26, 2022

Zoneminder

What is CVE-2022-29806?

References

EPSS Score

CVSS V3.1

Timeline