ZAA-2024-05

Security Advisory Details

• ID: ZAA-2024-05
• Date: 2024-12-05
• Title: Information Disclosure
• Severity: medium
• Product: Zammad 6.4.x
• Fixed in: Zammad 6.4.1
• References:
  --> CVE-2024-55578

Vulnerability Descriptions

Information Disclosure

Zammad manages its configuration via settings stored in the database. Whenever a setting is changed or reset, an information is written to the log for auditing purposes. In the past, the value was always included, even for sensitive data like tokens, secrets and so on. This was now changed to filter out sensitive settings, so that their actual value will not be written to the log any more.

🚨 Administrators are advised to check their logfiles, backups and any systems consuming log data and take appropriate action.

The following settings may have leaked sensitive data to the logs, if they were changed in the time period that is covered by the logs and/or backups:

application_secret
proxy_password
auth_twitter_credentials
auth_facebook_credentials
auth_google_oauth2_credentials
auth_linkedin_credentials
auth_github_credentials
auth_gitlab_credentials
auth_microsoft_office365_credentials
auth_weibo_credentials
auth_saml_credentials
monitoring_token
import_otrs_endpoint_key
import_otrs_password
import_zendesk_endpoint_key
import_freshdesk_endpoint_key
import_kayako_endpoint_password
check_mk_token
sipgate_token
cti_token
placetel_token
es_password

Special 🙏 and 🤘 and ❤️ to:

• N: Peter Oettig
• C: KIT-CERT
• W: https://www.cert.kit.edu/

Recommended Resolution

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

• https://zammad.org/
• https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

Additional information

Online version of this advisory: https://zammad.com/en/advisories/zaa-2024-05

Please see our security policy and send remarks on security issues exclusively to security@zammad.com.