- Package:
- src:zabbix
- Source:
- src:zabbix
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2025-08-28 18:05:10 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for zabbix. CVE-2024-36464[0]: | When exporting media types, the password is exported in the YAML in | plain text. This appears to be a best practices type issue and may | have no actual impact. The user would need to have permissions to | access the media types and therefore would be expected to have | access to these passwords. https://support.zabbix.com/browse/ZBX-25630 CVE-2024-36467[1]: | An authenticated user with API access (e.g.: user with default User | role), more specifically a user with access to the user.update API | endpoint is enough to be able to add themselves to any group (e.g.: | Zabbix Administrators), except to groups that are disabled or having | restricted GUI access. https://support.zabbix.com/browse/ZBX-25614 CVE-2024-36468[2]: | The reported vulnerability is a stack buffer overflow in the | zbx_snmp_cache_handle_engineid function within the Zabbix | server/proxy code. This issue occurs when copying data from | session->securityEngineID to local_record.engineid without proper | bounds checking. https://support.zabbix.com/browse/ZBX-25621 CVE-2024-42326[3]: | There was discovered a use after free bug in browser.c in the | es_browser_get_variant function https://support.zabbix.com/browse/ZBX-25622 CVE-2024-42327[4]: | A non-admin user account on the Zabbix frontend with the default | User role, or with any other role that gives API access can exploit | this vulnerability. An SQLi exists in the CUser class in the | addRelatedObjects function, this function is being called from the | CUser.get function which is available for every user who has API | access. https://support.zabbix.com/browse/ZBX-25623 CVE-2024-42328[5]: | When the webdriver for the Browser object downloads data from a HTTP | server, the data pointer is set to NULL and is allocated only in | curl_write_cb when receiving data. If the server's response is an | empty document, then wd->data in the code below will remain NULL and | an attempt to read from it will result in a crash. https://support.zabbix.com/browse/ZBX-25624 CVE-2024-42329[6]: | The webdriver for the Browser object expects an error object to be | initialized when the webdriver_session_query function fails. But | this function can fail for various reasons without an error | description and then the wd->error will be NULL and trying to read | from it will result in a crash. https://support.zabbix.com/browse/ZBX-25625 CVE-2024-42330[7]: | The HttpRequest object allows to get the HTTP headers from the | server's response after sending the request. The problem is that the | returned strings are created directly from the data returned by the | server and are not correctly encoded for JavaScript. This allows to | create internal strings that can be used to access hidden properties | of objects. https://support.zabbix.com/browse/ZBX-25626 CVE-2024-42331[8]: | In the src/libs/zbxembed/browser.c file, the es_browser_ctor method | retrieves a heap pointer from the Duktape JavaScript engine. This | heap pointer is subsequently utilized by the browser_push_error | method in the src/libs/zbxembed/browser_error.c file. A use-after- | free bug can occur at this stage if the wd->browser heap pointer is | freed by garbage collection. https://support.zabbix.com/browse/ZBX-25627 CVE-2024-42332[9]: | The researcher is showing that due to the way the SNMP trap log is | parsed, an attacker can craft an SNMP trap with additional lines of | information and have forged data show in the Zabbix UI. This attack | requires SNMP auth to be off and/or the attacker to know the | community/auth details. The attack requires an SNMP item to be | configured as text on the target host. https://support.zabbix.com/browse/ZBX-25628 CVE-2024-42333[10]: | The researcher is showing that it is possible to leak a small amount | of Zabbix Server memory using an out of bounds read in | src/libs/zbxmedia/email.c https://support.zabbix.com/browse/ZBX-25629 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36464 https://www.cve.org/CVERecord?id=CVE-2024-36464 [1] https://security-tracker.debian.org/tracker/CVE-2024-36467 https://www.cve.org/CVERecord?id=CVE-2024-36467 [2] https://security-tracker.debian.org/tracker/CVE-2024-36468 https://www.cve.org/CVERecord?id=CVE-2024-36468 [3] https://security-tracker.debian.org/tracker/CVE-2024-42326 https://www.cve.org/CVERecord?id=CVE-2024-42326 [4] https://security-tracker.debian.org/tracker/CVE-2024-42327 https://www.cve.org/CVERecord?id=CVE-2024-42327 [5] https://security-tracker.debian.org/tracker/CVE-2024-42328 https://www.cve.org/CVERecord?id=CVE-2024-42328 [6] https://security-tracker.debian.org/tracker/CVE-2024-42329 https://www.cve.org/CVERecord?id=CVE-2024-42329 [7] https://security-tracker.debian.org/tracker/CVE-2024-42330 https://www.cve.org/CVERecord?id=CVE-2024-42330 [8] https://security-tracker.debian.org/tracker/CVE-2024-42331 https://www.cve.org/CVERecord?id=CVE-2024-42331 [9] https://security-tracker.debian.org/tracker/CVE-2024-42332 https://www.cve.org/CVERecord?id=CVE-2024-42332 [10] https://security-tracker.debian.org/tracker/CVE-2024-42333 https://www.cve.org/CVERecord?id=CVE-2024-42333 Please adjust the affected versions in the BTS as needed.
Hi, I was triaging zabbix for LTS, and could come up with some details for the vulnerabilites below. CVE-2024-36467 has been fixed in upstream version 7.0.3rc1 CVE-2024-42327 has been fixed in upstream version 7.0.1rc1 (upstream commit https://github.com/zabbix/zabbix/commit/9256f8d933a50a468ae36e7a40301aa7 61941612 ) CVE-2024-42330 has been fixed in upstream version 7.0.4rc1 CVE-2024-42332 has been fixed in upstream version 7.0.5rc1 (upstream claims 7.0.4, however the found patch, commithttps://github.com/zabbix/zabbix/commit/e2982fbe05fe0a232c3fd71f2a3426a0bf400f77 appears first in 7.0.5rc1. ... more to follow Cheers, -- tobi
Hi, (continued) CVE-2024-42332 has been fixed in upstream version 7.0.4rc1 CVE-2024-36468 has been fixed in upstream version 7.0.3rc1 CVE-2024-42326 has been fixed in upstream version 7.0.4rc1 CVE-2024-42329 has been fixed in upstream version 7.0.4rc1 CVE-2024-42331 has been fixed in upstream version 7.0.4rc1 For CVE-2024-42328 is not enough information to triage them down to the commmits, howver, upstream claims it is fixed in 7.0.4rc1 as well
(Cloning bug for the remaining CVE, setting meta data for the other to the first upload which fixed all the vulnerabilties.)
According to upstream [1], this low severity issue was fixed in 7.0.4, but submitter could not identify corresponding patch... IMHO this should not cause removal of Zabbix from "testing". I'll downgrade severity of this issue to "important" while we are waiting for upstream clarification. [1]: https://support.zabbix.com/browse/ZBX-25624--- Some of us realize the self-evident truth that no election, no constitution, no legislation, and no other pseudo-religious political ritual can bestow upon anyone the right to rule another. Nothing can make a man into a rightful master; nothing can make a man into a rightful slave. -- Larken Rose, The Iron Web
According to upstream [1], this low severity issue was fixed in 7.0.4, but submitter could not identify corresponding patch... IMHO this should not cause removal of Zabbix from "testing". I'll downgrade severity of this issue to "important" while we are waiting for upstream clarification. [1]: https://support.zabbix.com/browse/ZBX-25624--- Some of us realize the self-evident truth that no election, no constitution, no legislation, and no other pseudo-religious political ritual can bestow upon anyone the right to rule another. Nothing can make a man into a rightful master; nothing can make a man into a rightful slave. -- Larken Rose, The Iron Web