Arbitrary Code Injection in Zammad Before 6.3.1 Due to World-Writable Gem Files
CVE-2024-36078

6.7MEDIUM

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 19 May 2024

What is CVE-2024-36078?

An issue has been identified in Zammad, where prior to version 6.3.1, a Ruby gem included with the application is installed with world-writable permissions. This configuration flaw can be exploited by a local attacker on the server to alter the gem's files, allowing for the injection of arbitrary code into the Zammad processes. These processes execute with the environment and permissions of the Zammad user, which could lead to unauthorized actions or data breaches. It is crucial for users to update to the latest version to mitigate potential risks associated with this vulnerability.

References

https://zammad.com/en/advisories/zaa-2024-04

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2024

CVE-2024-36078 Data

JSON