Your message dated Sun, 15 Dec 2024 17:11:20 +0100
with message-id <98581c528f6828793ba09e99e1da53da75b4f0ae.ca...@debian.org>
and subject line Re: zabbix: CVE-2024-36464 CVE-2024-36467 CVE-2024-36468
CVE-2024-42326 CVE-2024-42327 CVE-2024-42328 CVE-2024-42329 CVE-2024-42330
CVE-2024-42331 CVE-2024-42332 CVE-2024-42333
has caused the Debian Bug report #1088689,
regarding zabbix: CVE-2024-36467 CVE-2024-36468 CVE-2024-42326 CVE-2024-42327
CVE-2024-42329 CVE-2024-42330 CVE-2024-42331 CVE-2024-42332 CVE-2024-42333
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1088689: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: zabbix
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for zabbix.
CVE-2024-36464[0]:
| When exporting media types, the password is exported in the YAML in
| plain text. This appears to be a best practices type issue and may
| have no actual impact. The user would need to have permissions to
| access the media types and therefore would be expected to have
| access to these passwords.
https://support.zabbix.com/browse/ZBX-25630
CVE-2024-36467[1]:
| An authenticated user with API access (e.g.: user with default User
| role), more specifically a user with access to the user.update API
| endpoint is enough to be able to add themselves to any group (e.g.:
| Zabbix Administrators), except to groups that are disabled or having
| restricted GUI access.
https://support.zabbix.com/browse/ZBX-25614
CVE-2024-36468[2]:
| The reported vulnerability is a stack buffer overflow in the
| zbx_snmp_cache_handle_engineid function within the Zabbix
| server/proxy code. This issue occurs when copying data from
| session->securityEngineID to local_record.engineid without proper
| bounds checking.
https://support.zabbix.com/browse/ZBX-25621
CVE-2024-42326[3]:
| There was discovered a use after free bug in browser.c in the
| es_browser_get_variant function
https://support.zabbix.com/browse/ZBX-25622
CVE-2024-42327[4]:
| A non-admin user account on the Zabbix frontend with the default
| User role, or with any other role that gives API access can exploit
| this vulnerability. An SQLi exists in the CUser class in the
| addRelatedObjects function, this function is being called from the
| CUser.get function which is available for every user who has API
| access.
https://support.zabbix.com/browse/ZBX-25623
CVE-2024-42328[5]:
| When the webdriver for the Browser object downloads data from a HTTP
| server, the data pointer is set to NULL and is allocated only in
| curl_write_cb when receiving data. If the server's response is an
| empty document, then wd->data in the code below will remain NULL and
| an attempt to read from it will result in a crash.
https://support.zabbix.com/browse/ZBX-25624
CVE-2024-42329[6]:
| The webdriver for the Browser object expects an error object to be
| initialized when the webdriver_session_query function fails. But
| this function can fail for various reasons without an error
| description and then the wd->error will be NULL and trying to read
| from it will result in a crash.
https://support.zabbix.com/browse/ZBX-25625
CVE-2024-42330[7]:
| The HttpRequest object allows to get the HTTP headers from the
| server's response after sending the request. The problem is that the
| returned strings are created directly from the data returned by the
| server and are not correctly encoded for JavaScript. This allows to
| create internal strings that can be used to access hidden properties
| of objects.
https://support.zabbix.com/browse/ZBX-25626
CVE-2024-42331[8]:
| In the src/libs/zbxembed/browser.c file, the es_browser_ctor method
| retrieves a heap pointer from the Duktape JavaScript engine. This
| heap pointer is subsequently utilized by the browser_push_error
| method in the src/libs/zbxembed/browser_error.c file. A use-after-
| free bug can occur at this stage if the wd->browser heap pointer is
| freed by garbage collection.
https://support.zabbix.com/browse/ZBX-25627
CVE-2024-42332[9]:
| The researcher is showing that due to the way the SNMP trap log is
| parsed, an attacker can craft an SNMP trap with additional lines of
| information and have forged data show in the Zabbix UI. This attack
| requires SNMP auth to be off and/or the attacker to know the
| community/auth details. The attack requires an SNMP item to be
| configured as text on the target host.
https://support.zabbix.com/browse/ZBX-25628
CVE-2024-42333[10]:
| The researcher is showing that it is possible to leak a small amount
| of Zabbix Server memory using an out of bounds read in
| src/libs/zbxmedia/email.c
https://support.zabbix.com/browse/ZBX-25629
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-36464
https://www.cve.org/CVERecord?id=CVE-2024-36464
[1] https://security-tracker.debian.org/tracker/CVE-2024-36467
https://www.cve.org/CVERecord?id=CVE-2024-36467
[2] https://security-tracker.debian.org/tracker/CVE-2024-36468
https://www.cve.org/CVERecord?id=CVE-2024-36468
[3] https://security-tracker.debian.org/tracker/CVE-2024-42326
https://www.cve.org/CVERecord?id=CVE-2024-42326
[4] https://security-tracker.debian.org/tracker/CVE-2024-42327
https://www.cve.org/CVERecord?id=CVE-2024-42327
[5] https://security-tracker.debian.org/tracker/CVE-2024-42328
https://www.cve.org/CVERecord?id=CVE-2024-42328
[6] https://security-tracker.debian.org/tracker/CVE-2024-42329
https://www.cve.org/CVERecord?id=CVE-2024-42329
[7] https://security-tracker.debian.org/tracker/CVE-2024-42330
https://www.cve.org/CVERecord?id=CVE-2024-42330
[8] https://security-tracker.debian.org/tracker/CVE-2024-42331
https://www.cve.org/CVERecord?id=CVE-2024-42331
[9] https://security-tracker.debian.org/tracker/CVE-2024-42332
https://www.cve.org/CVERecord?id=CVE-2024-42332
[10] https://security-tracker.debian.org/tracker/CVE-2024-42333
https://www.cve.org/CVERecord?id=CVE-2024-42333
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
The CVEs in this bug:
CVE-2024-36467 CVE-2024-36468 CVE-2024-42326 CVE-2024-42327
CVE-2024-42329 CVE-2024-42330 CVE-2024-42331 CVE-2024-42332
CVE-2024-42333
are all fixed in unstable already.
The two non-fixed ones, CVE-2024-42328 and CVE-2024-36464 have been
cloned to their own bugs, #1090029 and #1090030 for dedicated tracking.
So this bug can be closed.
--
tobi
--- End Message ---
