CVE-2024-36078

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-36078

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36078.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-36078

Published

2024-05-19T20:15:08Z

Modified

2025-04-16T03:11:58.606592Z

Summary

[none]

Details

In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installed with world-writable file permissions. This allowed a local attacker on the server to modify the gem's files, injecting arbitrary code into Zammad processes (which run with the environment and permissions of the Zammad user).

References

https://zammad.com/en/advisories/zaa-2024-04

Affected packages

Git / github.com/zammad/zammad

Affected ranges

Type: GIT
Repo: https://github.com/zammad/zammad
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

1e2f95d33f1ab16fd0d447b409e8c409c747c3c9

Last affected

a6152567d3d965ce9f9aaef42d60c5d54003075c

Affected versions

1.*

1.6.0

1.6.1

2.*

2.10.0

3.*

3.7.0

5.*

5.2.0-alpha

5.3.0-alpha

5.4.0-alpha

5.5.0-alpha

6.*

6.0.0-alpha

6.1.0-alpha

6.2.0-alpha

6.3.0

6.3.0-alpha