CVE-2022-29806
Published: 26 April 2022
Summary
CVE-2022-29806 is a critical-severity Path Traversal (CWE-22) vulnerability in Zoneminder Zoneminder. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ZoneMinder before version 1.36.13 contains a path traversal vulnerability (CWE-22) that permits remote code execution when an invalid language setting is supplied. The flaw is made more exploitable by the application's ability to write a debug log file to an arbitrary pathname on the server.
Unauthenticated remote attackers can supply a crafted language value over the network to trigger code execution, achieving full confidentiality, integrity, and availability impact without any user interaction or credentials. The CVSS 9.8 score reflects the network-accessible, low-complexity nature of the attack.
Public references point to an official fix released in ZoneMinder 1.36.13, accompanied by a specific commit that addresses the language-handling and log-file path issues; administrators are advised to upgrade to this or later versions. The associated EPSS score reached a peak of 0.8865 and currently stands at 0.7876.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34127
Vulnerability details
ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.