CVE-2022-39291: 
NixOS vulnerability analysis and mitigation

ZoneMinder, a free and open-source Closed-circuit television software application, was found to contain a vulnerability (CVE-2022-39291) that allows users with 'View' system permissions to inject data into the logs stored by ZoneMinder. The vulnerability was disclosed on October 7, 2022, affecting versions <= 1.36.26 and <= 1.37.23, and was patched in versions 1.36.27 and 1.37.24 (GitHub Advisory).

The vulnerability was discovered in the log injection functionality accessible through an HTTP POST request to the '/zm/index.php' endpoint. Users with 'View' system permissions could submit log information without any rate control mechanisms in place. The vulnerability was assigned a CVSS v3.1 score of 4.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, indicating network attack vector, low attack complexity, low privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability could lead to a Denial of Service (DoS) condition by affecting database performance and potentially consuming all storage resources. Since the submission of log entries was not rate-controlled, malicious users could exploit this to overwhelm the system (GitHub Advisory).

The vulnerability was patched through multiple commits that implemented proper permission checking and added a new configuration parameter ZMLOGINJECT to control log injection capabilities. The fix was released in versions 1.36.27 and 1.37.24. No workarounds were available for unpatched systems, and users were advised to upgrade to the patched versions (GitHub Advisory).