Cyber Resilience

CVE-2022-39289

CriticalPublic PoC

Published: 07 October 2022

Published
07 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0030 53.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39289 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Zoneminder Zoneminder. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 46.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon…

more

as possible. Users unable to upgrade should disable database logging.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zoneminder
zoneminder
≤ 1.36.27 · 1.37.0 — 1.37.24

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.

addresses: CWE-862 CWE-200

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

addresses: CWE-862 CWE-200

Mandates authorization checks before permitting access or data processing via external systems.

addresses: CWE-862 CWE-200

The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.

addresses: CWE-200 CWE-287

Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.

addresses: CWE-200 CWE-287

Audit record review and analysis can detect unauthorized exposure or access to sensitive information.

addresses: CWE-287 CWE-862

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

References