Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for zabbix. CVE-2024-36464[0]: | When exporting media types, the password is exported in the YAML in | plain text. This appears to be a best practices type issue and may | have no actual impact. The user would need to have permissions to | access the media types and therefore would be expected to have | access to these passwords. https://support.zabbix.com/browse/ZBX-25630 CVE-2024-36467[1]: | An authenticated user with API access (e.g.: user with default User | role), more specifically a user with access to the user.update API | endpoint is enough to be able to add themselves to any group (e.g.: | Zabbix Administrators), except to groups that are disabled or having | restricted GUI access. https://support.zabbix.com/browse/ZBX-25614 CVE-2024-36468[2]: | The reported vulnerability is a stack buffer overflow in the | zbx_snmp_cache_handle_engineid function within the Zabbix | server/proxy code. This issue occurs when copying data from | session->securityEngineID to local_record.engineid without proper | bounds checking. https://support.zabbix.com/browse/ZBX-25621 CVE-2024-42326[3]: | There was discovered a use after free bug in browser.c in the | es_browser_get_variant function https://support.zabbix.com/browse/ZBX-25622 CVE-2024-42327[4]: | A non-admin user account on the Zabbix frontend with the default | User role, or with any other role that gives API access can exploit | this vulnerability. An SQLi exists in the CUser class in the | addRelatedObjects function, this function is being called from the | CUser.get function which is available for every user who has API | access. https://support.zabbix.com/browse/ZBX-25623 CVE-2024-42328[5]: | When the webdriver for the Browser object downloads data from a HTTP | server, the data pointer is set to NULL and is allocated only in | curl_write_cb when receiving data. If the server's response is an | empty document, then wd->data in the code below will remain NULL and | an attempt to read from it will result in a crash. https://support.zabbix.com/browse/ZBX-25624 CVE-2024-42329[6]: | The webdriver for the Browser object expects an error object to be | initialized when the webdriver_session_query function fails. But | this function can fail for various reasons without an error | description and then the wd->error will be NULL and trying to read | from it will result in a crash. https://support.zabbix.com/browse/ZBX-25625 CVE-2024-42330[7]: | The HttpRequest object allows to get the HTTP headers from the | server's response after sending the request. The problem is that the | returned strings are created directly from the data returned by the | server and are not correctly encoded for JavaScript. This allows to | create internal strings that can be used to access hidden properties | of objects. https://support.zabbix.com/browse/ZBX-25626 CVE-2024-42331[8]: | In the src/libs/zbxembed/browser.c file, the es_browser_ctor method | retrieves a heap pointer from the Duktape JavaScript engine. This | heap pointer is subsequently utilized by the browser_push_error | method in the src/libs/zbxembed/browser_error.c file. A use-after- | free bug can occur at this stage if the wd->browser heap pointer is | freed by garbage collection. https://support.zabbix.com/browse/ZBX-25627 CVE-2024-42332[9]: | The researcher is showing that due to the way the SNMP trap log is | parsed, an attacker can craft an SNMP trap with additional lines of | information and have forged data show in the Zabbix UI. This attack | requires SNMP auth to be off and/or the attacker to know the | community/auth details. The attack requires an SNMP item to be | configured as text on the target host. https://support.zabbix.com/browse/ZBX-25628 CVE-2024-42333[10]: | The researcher is showing that it is possible to leak a small amount | of Zabbix Server memory using an out of bounds read in | src/libs/zbxmedia/email.c https://support.zabbix.com/browse/ZBX-25629 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36464 https://www.cve.org/CVERecord?id=CVE-2024-36464 [1] https://security-tracker.debian.org/tracker/CVE-2024-36467 https://www.cve.org/CVERecord?id=CVE-2024-36467 [2] https://security-tracker.debian.org/tracker/CVE-2024-36468 https://www.cve.org/CVERecord?id=CVE-2024-36468 [3] https://security-tracker.debian.org/tracker/CVE-2024-42326 https://www.cve.org/CVERecord?id=CVE-2024-42326 [4] https://security-tracker.debian.org/tracker/CVE-2024-42327 https://www.cve.org/CVERecord?id=CVE-2024-42327 [5] https://security-tracker.debian.org/tracker/CVE-2024-42328 https://www.cve.org/CVERecord?id=CVE-2024-42328 [6] https://security-tracker.debian.org/tracker/CVE-2024-42329 https://www.cve.org/CVERecord?id=CVE-2024-42329 [7] https://security-tracker.debian.org/tracker/CVE-2024-42330 https://www.cve.org/CVERecord?id=CVE-2024-42330 [8] https://security-tracker.debian.org/tracker/CVE-2024-42331 https://www.cve.org/CVERecord?id=CVE-2024-42331 [9] https://security-tracker.debian.org/tracker/CVE-2024-42332 https://www.cve.org/CVERecord?id=CVE-2024-42332 [10] https://security-tracker.debian.org/tracker/CVE-2024-42333 https://www.cve.org/CVERecord?id=CVE-2024-42333 Please adjust the affected versions in the BTS as needed.
