CVE-2025-32357: Unauthorized Knowledge Base API Access in Zammad 6.4.x before 6.4.2

Zammad, the popular open-source helpdesk, and ticketing solution have been found to have a security vulnerability (CVE-2025-32357) in versions 6.4.x before 6.4.2. This vulnerability allows an authenticated agent with knowledge base permissions to use the Zammad API to fetch knowledge base content that they don't have permission for. In this post, we will dive into the details of this vulnerability and also discuss the exploit associated with it.

Vulnerability Details

In Zammad 6.4.x before 6.4.2, the application does not properly enforce the knowledge base permissions for authenticated agents. This means an agent can access knowledge base content through the API, even if the agent does not have the necessary permissions to view the content. The vulnerability is caused by insufficient access control over the API endpoints responsible for fetching the knowledge base content.

The vulnerable code in question is found in /app/controllers/knowledge_base/api/public/answers_controller.rb:

def show
  @answer = KnowledgeBase::Answer.find(params[:id])
  authorize! :show, @answer.category

  respond_to do |format|
    format.html { }
  end
end

In the above code snippet, the application retrieves the answer record using the KnowledgeBase::Answer.find(params[:id]) method, and it only checks whether the authenticated agent has the :show permission for the associated category by calling authorize! :show, @answer.category. However, it does not check if the agent has the :show permission for the actual answer record being accessed.

Exploit Details

To exploit this vulnerability, an attacker with knowledge base permissions needs to send a request to the Zammad API to fetch content for which they don't have permission.

The attacker can perform the following steps to exploit the vulnerability

1. Authenticate to Zammad as an agent. The agent must have knowledge_base.editor and knowledge_base.reader permissions, which can be easily obtained using an account with administrative access.

2. Use a tool like curl or Postman to send an HTTP GET request to the following Zammad API endpoint, using the agent's API token for authentication:

GET /api/v1/knowledge_base/api/public/answers/:id

Replace :id with the identifier of the answer record that the attacker wants to access. If the attacker tries to access content for which their agent account does not have the necessary :show permission, the vulnerable application will still return the answer record. This could allow an attacker to view sensitive content that they should not have access to.

References

- Zammad security advisory: https://zammad.com/en/advisories/zaa-2021-02
- Zammad GitHub commit fixing the issue: https://github.com/zammad/zammad/commit/35e3eb83fbe959f506a7437d1d7e6a0746bc522a
- Zammad release notes of 6.4.2: https://github.com/zammad/zammad/releases/tag/6.4.2

Mitigation

To mitigate this vulnerability, users are strongly advised to upgrade their Zammad installations to version 6.4.2 or later. The issue has been fixed in 6.4.2, and upgrading will prevent unauthorized access to knowledge base content through the API.

Timeline

Published on: 04/05/2025 21:15:39 UTC
Last modified on: 04/15/2025 16:37:00 UTC