CVE-2024-33666
📋 TL;DR
This vulnerability in Zammad allows users with customer-level access to view time accounting details for tickets via the API, which should be restricted to agent-level users only. This exposes sensitive operational data to unauthorized parties. All Zammad instances running vulnerable versions are affected.
💻 Affected Systems
- Zammad
📦 What is this software?
Zammad by Zammad
Zammad by Zammad
⚠️ Risk & Real-World Impact
Worst Case
Customers could access detailed time tracking data across multiple tickets, potentially revealing internal workflows, productivity metrics, and operational patterns that could be used for competitive intelligence or targeted attacks.
Likely Case
Individual customers accessing time accounting data for their own tickets, potentially learning about internal response times, agent workload, and operational efficiency for their specific cases.
If Mitigated
With proper access controls and monitoring, impact is limited to potential data exposure that can be detected and investigated through audit logs.
🎯 Exploit Status
Exploitation requires valid customer credentials and API access to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.0
Vendor Advisory: https://zammad.com/en/advisories/zaa-2024-01
Restart Required: Yes
Instructions:
1. Backup your Zammad instance. 2. Update to Zammad 6.3.0 or later using your preferred update method (package manager, Docker, manual). 3. Restart Zammad services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable time accounting feature
allTemporarily disable time accounting functionality to prevent data exposure
zammad run rails r "Setting.set('time_accounting', false)"
Restrict API access
allImplement network-level restrictions on API endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to limit API access to trusted networks only
- Enable detailed API audit logging and monitor for unauthorized access attempts to time accounting endpoints
🔍 How to Verify
Check if Vulnerable:
Check Zammad version via admin interface or run: zammad run rails r "puts Zammad::Application::Version"Check Version:
zammad run rails r "puts Zammad::Application::Version"Verify Fix Applied:
Verify version is 6.3.0 or later and test that customer users cannot access time accounting data via API📡 Detection & Monitoring
Log Indicators:
- API requests to time accounting endpoints from customer-level users
- Unusual access patterns to /api/v1/tickets/*/time_accounting
Network Indicators:
- HTTP GET requests to time accounting API endpoints from non-agent IP addresses
SIEM Query:
source="zammad" AND (uri_path="/api/v1/tickets/*/time_accounting" OR endpoint="time_accounting") AND user_role="customer"