arrow-left arrow-right autosave chat checkmark close dashboard fields fingerprint flash hamburger language list lock logotype long-arrow-right marker migrate overviews phone rocket search smiley stamp star stopwatch team twitter

Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send information regarding vulnerabilities in Zammad to: security at zammad.com

Security Advisory Details

Vulnerability Descriptions

Information Disclosure in HTTP Headers of default config example (CVE pending)

HTTP response headers from the Zammad application include the type and version of the web server software deployed for the system. An attacker could use this information to find public vulnerabilities and target attacks against specific types and versions of the server.
It is also possible to determine the exact version of the NginX/Apache2 used by the application from the HTTP response headers that were configured with the example/default configuration.

Special 🙏 and 🤘 and ❤️ to:

N: Guardian Project
W: https://guardianproject.info

N: Center for Digital Resilience
W: https://digiresilience.org

N: TÜV Rheinland i-sec GmbH
D: Security Researcher
W: https://www.tuv.com

Recommended Resolution

Existing Webserver/Reverse Proxies installations can't be updated automatically. Therefore manual action is required.

For NginX: Extend your "server" block with "server_tokens off;" as in https://github.com/zammad/zammad/blob/develop/contrib/nginx/zammad.conf

For Apache2: Extend your "VirtualHost" with "ServerTokens Prod" and "ServerSignature Off" as in https://github.com/zammad/zammad/blob/develop/contrib/apache2/zammad_ssl.conf

Additional information

Online version of this advisory: https://zammad.com/news/security-advisory-zaa-2020-08

Send all remarks to security issues to security @ zammad.com.