Details of VAR-202210-0275

ID

VAR-202210-0275

CVE

CVE-2022-39289

TITLE

ZoneMinder Vulnerability regarding lack of authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2022-018649

DESCRIPTION

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging. ZoneMinder Exists in a vulnerability related to the lack of authentication.Information may be tampered with

Trust: 1.62

sources: NVD: CVE-2022-39289 // JVNDB: JVNDB-2022-018649

IOT TAXONOMY

category:

['home & office device']

sub_category:

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	zoneminder	model:	zoneminder	scope:	lt	version:	1.37.24	Trust: 1.0
vendor:	zoneminder	model:	zoneminder	scope:	lte	version:	1.36.27	Trust: 1.0
vendor:	zoneminder	model:	zoneminder	scope:	gte	version:	1.37.0	Trust: 1.0
vendor:	zoneminder	model:	zoneminder	scope:	eq	version:	-	Trust: 0.8
vendor:	zoneminder	model:	zoneminder	scope:	-	version:	-	Trust: 0.8
vendor:	zoneminder	model:	zoneminder	scope:	lte	version:	1.36.27 and earlier	Trust: 0.8
vendor:	zoneminder	model:	zoneminder	scope:	eq	version:	1.37.0 that's all 1.37.24	Trust: 0.8

sources: JVNDB: JVNDB-2022-018649 // NVD: CVE-2022-39289

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-39289
value:	HIGH
Trust: 1.0
security-advisories@github.com:	CVE-2022-39289
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2022-39289
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202210-332
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-39289
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
security-advisories@github.com:	CVE-2022-39289
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2022-39289
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-018649 // CNNVD: CNNVD-202210-332 // NVD: CVE-2022-39289 // NVD: CVE-2022-39289

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	CWE-200	Trust: 1.0
problemtype:	CWE-287	Trust: 1.0
problemtype:	Lack of authentication (CWE-862) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-018649 // NVD: CVE-2022-39289

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-332

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202210-332

PATCH

title:

ZoneMinder Repair measures for information disclosure vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=210330

Trust: 0.6

sources: CNNVD: CNNVD-202210-332

EXTERNAL IDS

db:	NVD	id:	CVE-2022-39289	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-018649	Trust: 0.8
db:	CNNVD	id:	CNNVD-202210-332	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2022-018649 // CNNVD: CNNVD-202210-332 // NVD: CVE-2022-39289

REFERENCES

url:	https://github.com/zoneminder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4	Trust: 2.4
url:	https://github.com/zoneminder/zoneminder/security/advisories/ghsa-mpcx-3gvh-9488	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-39289	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-39289/	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2022-018649 // CNNVD: CNNVD-202210-332 // NVD: CVE-2022-39289

SOURCES

db:	OTHER	id:	-
db:	JVNDB	id:	JVNDB-2022-018649
db:	CNNVD	id:	CNNVD-202210-332
db:	NVD	id:	CVE-2022-39289

LAST UPDATE DATE

2025-01-30T22:05:01.937000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2022-018649	date:	2023-10-20T08:27:00
db:	CNNVD	id:	CNNVD-202210-332	date:	2023-07-17T00:00:00
db:	NVD	id:	CVE-2022-39289	date:	2023-07-14T18:13:15.957

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2022-018649	date:	2023-10-20T00:00:00
db:	CNNVD	id:	CNNVD-202210-332	date:	2022-10-07T00:00:00
db:	NVD	id:	CVE-2022-39289	date:	2022-10-07T21:15:11.553