Login Sign Up

CVE-2020-29160

7.5 HIGH

📋 TL;DR

This vulnerability in Zammad allows attackers to modify Ticket Article data through a REST API call, bypassing auditing mechanisms. This affects all Zammad instances running versions before 3.5.1, potentially compromising ticket integrity and audit trails.

💻 Affected Systems

Products:
  • Zammad
Versions: All versions before 3.5.1
Operating Systems: All platforms running Zammad
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Zammad deployments regardless of configuration. The vulnerability is in the core REST API functionality.

📦 What is this software?

Zammad by Zammad

View all CVEs affecting Zammad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could alter critical ticket evidence, delete audit trails, or manipulate ticket data to hide malicious activity, potentially enabling fraud or covering up security incidents.

🟠

Likely Case

Unauthorized modification of ticket articles leading to data integrity issues, loss of audit trail accuracy, and potential compliance violations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized users making unauthorized modifications, which can be detected through secondary logging.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to the REST API. The vulnerability is in the ticket article update functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.1

Vendor Advisory: https://zammad.com/en/advisories/zaa-2020-24

Restart Required: Yes

Instructions:

1. Backup your Zammad instance and database. 2. Update to Zammad version 3.5.1 or later. 3. Restart the Zammad service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict API Access

all

Limit REST API access to trusted IP addresses only

Configure firewall rules to restrict access to Zammad API endpoints (typically port 3000 or 443)

Enhanced Monitoring

all

Implement additional logging and monitoring for ticket article modifications

Enable verbose logging for ticket operations in Zammad configuration

🧯 If You Can't Patch

  • Implement strict access controls and principle of least privilege for all Zammad users
  • Enable comprehensive audit logging and implement real-time alerting for ticket modifications

🔍 How to Verify

Check if Vulnerable:

Check Zammad version via admin interface or by running: zammad version

Check Version:

zammad version

Verify Fix Applied:

Confirm version is 3.5.1 or later and test that ticket article modifications now properly trigger audit logging

📡 Detection & Monitoring

Log Indicators:

  • Unexpected ticket article modifications
  • API calls to ticket update endpoints from unusual sources
  • Missing or incomplete audit logs for ticket changes

Network Indicators:

  • Unusual patterns of REST API calls to ticket endpoints
  • Bursts of PUT/PATCH requests to article endpoints

SIEM Query:

source="zammad" AND (event_type="ticket_article_update" OR api_endpoint="/api/v1/ticket_articles/*") AND user NOT IN [authorized_users]

📊 Metadata

CVE ID: CVE-2020-29160
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-862
Published: December 28, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29160, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)