Security Advisory
ZAA-2021-02
· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!
Security Advisory Details
- ID: ZAA-2021-02
- Date: 06/08/2020
- Title: Password written to logs when probing email connection
- Severity: low
- Product: Zammad 1.0.x up to 4.0.0
- Fixed in: Zammad 4.0.1, 4.1.0
- References:
--> CVE: CVE-2021-35299
Vulnerability Descriptions
Password written to logs when probing email connection
Zammad comes with a functionality to automatically probe the email connection configuration. Whenever a full probing (inbound and outbound) connection configuration was probed successfully the valid credentials were logged to the Zammad application log file. This would allow an attacker to read the valid credentials when access to this file would be possible.
Special 🙏 and 🤘 and ❤️ to:
- N: Axel Franz
- C: Ray Sono AG
Recommended Resolution
This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.
Fixed releases can be found at:
- https://zammad.org/
- https://ftp.zammad.com/
Or just update your Zammad if installed via OS package manager.
Additional information
Online version of this advisory: https://zammad.com/en/advisories/zaa-2021-02
Send all remarks to security issues to security@zammad.com.