CVE-2024-36078

Name of the Vulnerable Software and Affected Versions Zammad versions prior to 6.3.1

Description A Ruby gem bundled by Zammad is installed with world-writable file permissions, allowing a local attacker on the server to modify the gem's files and inject arbitrary code into Zammad processes. These processes run with the environment and permissions of the Zammad user.

Recommendations For versions prior to 6.3.1, update to version 6.3.1 or later to resolve the issue. As a temporary workaround, consider restricting write access to the Ruby gem's files to prevent modification by unauthorized users.