CVE-2023-26032

2023-02-2501:15:56

Debian Security Bug Tracker

security-tracker.debian.org

zoneminder

sql injection

cctv

linux

ip cameras

usb cameras

analog cameras

jwt token

hash key

version 1.36.33

version 1.37.33

security issue

CVSS3

8.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

AI Score

8.3

Confidence

High

EPSS

0.001

Percentile

50.6%

JSON

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason web token. The Username field of the JWT token was trusted when performing an SQL query to load the user. If an attacker could determine the HASH key used by ZoneMinder, they could generate a malicious JWT token and use it to execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33.

OSVersionArchitecturePackageVersionFilename
Debian12allzoneminder< 1.36.33+dfsg1-1zoneminder_1.36.33+dfsg1-1_all.deb
Debian11allzoneminder<= 1.34.23-1zoneminder_1.34.23-1_all.deb
Debian999allzoneminder< 1.36.33+dfsg1-1zoneminder_1.36.33+dfsg1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	zoneminder	< 1.36.33+dfsg1-1	zoneminder_1.36.33+dfsg1-1_all.deb
Debian	11	all	zoneminder	<= 1.34.23-1	zoneminder_1.34.23-1_all.deb
Debian	999	all	zoneminder	< 1.36.33+dfsg1-1	zoneminder_1.36.33+dfsg1-1_all.deb