Security Advisory

ZAA-2020-08

· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

Security Advisory Details

  • ID: ZAA-2020-08
  • Date: 03/03/2020
  • Title: Information Disclosure in HTTP Headers of default config example
  • Severity: low
  • Product: Zammad 1.0.x up to 3.2.0
  • Fixed in: Zammad 3.2.1, 3.3.0
  • References:
    --> CVE: pending

Vulnerability Descriptions

Information Disclosure in HTTP Headers of default config example (CVE pending)

HTTP response headers from the Zammad application include the type and version of the web server software deployed for the system. An attacker could use this information to find public vulnerabilities and target attacks against specific types and versions of the server.

It is also possible to determine the exact version of the NginX/Apache2 used by the application from the HTTP response headers that were configured with the example/default configuration.

Special 🙏 and 🤘 and ❤️ to:

Existing Webserver/Reverse Proxies installations can't be updated automatically. Therefore manual action is required.

Additional information

Online version of this advisory: https://zammad.com/en/advisories/zaa-2020-08

Send all remarks to security issues to security@zammad.com.

Signup
Freuen Ihre Kunden sich schon auf die Service-Hotline?
Kostenlos testen!