CVE-2022-39289
Published: 07 October 2022
Summary
CVE-2022-39289 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Zoneminder Zoneminder. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 46.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41787
Vulnerability details
ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon…
more
as possible. Users unable to upgrade should disable database logging.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandates authorization checks before permitting access or data processing via external systems.
The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.
Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.
Audit record review and analysis can detect unauthorized exposure or access to sensitive information.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.