CVE-2022-29806: 
NixOS vulnerability analysis and mitigation

CVE-2022-29806 affects ZoneMinder versions before 1.36.13, allowing remote code execution through an invalid language setting. The vulnerability was discovered in early 2022 and officially disclosed on April 26, 2022. The issue stems from a path traversal vulnerability in the debug log file functionality and default language option, which could allow attackers to write and execute arbitrary code (Krastanoel Blog).

The vulnerability has a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue involves two main components: the ZMLOGDEBUGFILE validation in includes/logger.php which allows creation of files with any extension on any path, and the ZMLANG_DEFAULT validation in includes/lang.php that suffers from a path traversal vulnerability. These vulnerabilities can be chained together to achieve remote code execution (NVD, Krastanoel Blog).

The vulnerability allows attackers to achieve remote code execution on affected systems. An attacker can write arbitrary files to the system and execute them through the language settings functionality, potentially leading to complete system compromise (NVD).

The vulnerability was fixed in ZoneMinder version 1.36.13. The fix includes validation of ZMLANGDEFAULT option to prevent path traversal and improvements to the handling of language files. Users should upgrade to version 1.36.13 or later to mitigate this vulnerability (ZoneMinder Forum).