CVE-2024-36078

Source
https://cve.org/CVERecord?id=CVE-2024-36078
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36078.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-36078
Published
2024-05-19T20:15:08.043Z
Modified
2026-04-10T05:13:22.673083Z
Severity
  • 6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installed with world-writable file permissions. This allowed a local attacker on the server to modify the gem's files, injecting arbitrary code into Zammad processes (which run with the environment and permissions of the Zammad user).

References

Affected packages

Git / github.com/zammad/zammad

Affected ranges

Type
GIT
Repo
https://github.com/zammad/zammad
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.3.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.3.0-alpha"
        }
    ]
}

Affected versions

1.*
1.6.0
3.*
3.7.0
5.*
5.2.0-alpha
5.3.0-alpha
5.4.0-alpha
5.5.0-alpha
6.*
6.0.0-alpha
6.1.0-alpha
6.2.0-alpha
6.3.0
6.3.0-alpha

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36078.json"