| Zabbix ID |
CVE number |
CVSS score |
Zabbix
?
severity
|
Critical - vulnerabilities that could be easily exploited by a remote unauthenticated actor and lead to Zabbix compromise without requiring user interaction or allow remote unauthorized users to gain Super Admin privileges. Please install required updates or apply workarounds as soon as possible.
High - vulnerabilities that can easily compromise the confidentiality, integrity or availability of Zabbix components. These vulnerabilities allow local or authenticated users to gain additional privileges, allow remote unauthorized users to view information in Zabbix or allow authenticated remote users to execute arbitrary code. Install required updates based on your maintenance window.
Medium - vulnerabilities that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of Zabbix under certain circumstances. Such vulnerabilities could have a Critical or High severity but are less easily exploited and/or affect unlikely configurations. Evaluate possible risks and install updates if it is required.
Low - other vulnerabilities that may have a security impact. Such vulnerabilities require unlikely circumstances to be exploited, or their successful exploitation would give minimal consequences. Evaluate possible risks and install updates if it is required.
Synopsis |
Component/s |
Affected version/s |
Published |
| ZBV-2024-08-09-8
|
CVE-2024-36462 |
7.5 |
High |
Allocation of resources without limits or throttling (uncontrolled resource consumption)
| CVE/Advisory number: |
CVE-2024-36462 |
| Synopsis: |
Allocation of resources without limits or throttling (uncontrolled resource consumption) |
| Description: |
Uncontrolled resource consumption refers to a software vulnerability where a attacker or system uses excessive resources, such as CPU, memory, or network bandwidth, without proper limitations or controls. This can cause a denial-of-service (DoS) attack or degrade the performance of the affected system. An attacker could use the browser item script to crash Zabbix server. |
| Known Attack Vectors: |
Results as Zabbix server crash can be used as a DDoS attack. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix extends its gratitude to justonezero for submitting this report on the HackerOne bug bounty platform. |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Server |
| 7.0.0alpha1-7.0.0 |
7.0.1rc1 |
|
7.5
|
High
|
ZBX-25019
|
|
Server |
7.0.0alpha1-7.0.0
|
2024 Aug 09 |
| ZBV-2024-08-09-7
|
CVE-2024-36461 |
9.1 |
Critical |
Direct access to memory pointers within the JS engine for modification
| CVE/Advisory number: |
CVE-2024-36461 |
| Synopsis: |
Direct access to memory pointers within the JS engine for modification |
| Description: |
Within Zabbix, users could directly modify memory pointers in the JavaScript engine. |
| Known Attack Vectors: |
This vulnerability allows users with access to a single item configuration (limited role) to compromise the whole infrastructure of the monitoring solution by remote code execution. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix extends its gratitude to Pavel Voit (pavelvoit) for submitting this report on the HackerOne bug bounty platform. |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Server |
| 6.0.0-6.0.30 |
6.0.31rc1 |
| 6.4.0-6.4.15 |
6.4.16rc1 |
| 7.0.0alpha1-7.0.0 |
7.0.1rc1 |
|
9.1
|
Critical
|
ZBX-25018
|
|
Server |
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0
|
2024 Aug 09 |
| ZBV-2024-08-09-6
|
CVE-2024-36460 |
8.1 |
High |
Front-end audit log shows passwords in plaintext
| CVE/Advisory number: |
CVE-2024-36460 |
| Synopsis: |
Front-end audit log shows passwords in plaintext |
| Description: |
The front-end audit log allows viewing of unprotected/unmasked plaintext passwords, where the passwords are displayed in plain text. |
| Known Attack Vectors: |
Sensitive password data can be extracted from the audit log and exploited in impersonation attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.0.0-5.0.42 |
5.0.43rc1 |
| 6.0.0-6.0.30 |
6.0.31rc1 |
| 6.4.0-6.4.15 |
6.4.16rc1 |
| 7.0.0alpha1-7.0.0 |
7.0.1rc1 |
|
8.1
|
High
|
ZBX-25017
|
|
Frontend |
5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0
|
2024 Aug 09 |
| ZBV-2024-08-09-5
|
CVE-2024-22123 |
2.7 |
Low |
Zabbix Arbitrary File Read
| CVE/Advisory number: |
CVE-2024-22123 |
| Synopsis: |
Zabbix Arbitrary File Read |
| Description: |
Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. As a result, log file will be broken with AT commands and small part for log file content will be leaked to UI. |
| Known Attack Vectors: |
Impact is very low; it is possible to break Zabbix log file a bit and read small part of Zabbix log (without any control which part). Also, in case of Zabbix server is run from more privileged user, maybe some DOS will be possible. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Server |
| 5.0.0-5.0.42 |
5.0.43rc1 |
| 6.0.0-6.0.30 |
6.0.31rc1 |
| 6.4.0-6.4.15 |
6.4.16rc1 |
| 7.0.0alpha1-7.0.0rc2 |
7.0.0rc3 |
|
2.7
|
Low
|
ZBX-25013
|
|
Server |
5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
|
2024 Aug 09 |
| ZBV-2024-08-09-4
|
CVE-2024-22122 |
3.0 |
Low |
AT(GSM) Command Injection
| CVE/Advisory number: |
CVE-2024-22122 |
| Synopsis: |
AT(GSM) Command Injection |
| Description: |
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem. |
| Known Attack Vectors: |
Impact can vary and depends on manufacturer of GSM modem. In worst cases modem allows dangerous functionality like FTP connection initiation which can be used for firmware updating and this could lead to RCE, SSRF, etc. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank Maksim Tiukov (mf0cuz) who submitted this report in HackerOne bug bounty platform |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Frontend |
| 5.0.0-5.0.42 |
5.0.43rc1 |
| 6.0.0-6.0.30 |
6.0.31rc1 |
| 6.4.0-6.4.15 |
6.4.16rc1 |
| 7.0.0alpha1-7.0.0rc2 |
7.0.0rc3 |
|
3.0
|
Low
|
ZBX-25012
|
|
Server,
Frontend |
5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
|
2024 Aug 09 |
| ZBV-2024-08-09-3
|
CVE-2024-22121 |
6.1 |
Medium |
Zabbix Agent MSI Installer Allows Non-Admin User to Access Change Option via msiexec.exe
| CVE/Advisory number: |
CVE-2024-22121 |
| Synopsis: |
Zabbix Agent MSI Installer Allows Non-Admin User to Access Change Option via msiexec.exe |
| Description: |
A non-admin user can change or remove important features within the Zabbix Agent application, thus impacting the integrity and availability of the application. |
| Known Attack Vectors: |
This vulnerability can allow a non-admin user to change or remove important features (e.g. removing Zabbix Agent Service) within the application, thus impacting the integrity and availability of the application. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank gee-netics who submitted this report in HackerOne bug bounty platform |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Installation |
| 5.0.0-5.0.42 |
5.0.43rc1 |
| 6.0.0-6.0.30 |
6.0.31rc1 |
| 6.4.0-6.4.15 |
6.4.16rc1 |
| 7.0.0alpha1-7.0.0rc2 |
7.0.0rc3 |
|
6.1
|
Medium
|
ZBX-25011
|
|
Installation |
5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
|
2024 Aug 09 |
| ZBV-2024-08-09-2
|
CVE-2024-22116 |
9.9 |
Critical |
Remote code execution within ping script
| CVE/Advisory number: |
CVE-2024-22116 |
| Synopsis: |
Remote code execution within ping script |
| Description: |
An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure. |
| Known Attack Vectors: |
Compromise of the monitoring environment |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank justonezero who submitted this report in HackerOne bug bounty platform |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Server |
| 6.4.0-6.4.15 |
6.4.16rc1 |
| 7.0.0alpha1-7.0.0rc2 |
7.0.1rc3 |
|
9.9
|
Critical
|
ZBX-25016
|
|
Server |
6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
|
2024 Aug 09 |
| ZBV-2024-08-09-1
|
CVE-2024-22114 |
4.3 |
Medium |
System Information Widget in Global View Dashboard exposes information about Hosts to Users without Permission
| CVE/Advisory number: |
CVE-2024-22114 |
| Synopsis: |
System Information Widget in Global View Dashboard exposes information about Hosts to Users without Permission |
| Description: |
User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard. |
| Known Attack Vectors: |
User with no permission to hosts able to obtain statistics like total hosts count and other data through System Information Widget. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank Jayateertha G (jayateerthag) who submitted this report in HackerOne bug bounty platform. |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Frontend |
| 5.0.0-5.0.42 |
5.0.43rc1 |
| 6.0.0-6.0.30 |
6.0.31rc1 |
| 6.4.0-6.4.15 |
6.4.16rc1 |
| 7.0.0alpha1-7.0.0rc2 |
7.0.1rc3 |
|
4.3
|
Medium
|
ZBX-25015
|
|
Server,
Frontend |
5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
|
2024 Aug 09 |
| ZBV-2024-05-17
|
CVE-2024-22120 |
9.1 |
Critical |
Time Based SQL Injection in Zabbix Server Audit Log
| CVE/Advisory number: |
CVE-2024-22120 |
| Synopsis: |
Time Based SQL Injection in Zabbix Server Audit Log |
| Description: |
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. |
| Known Attack Vectors: |
This vulnerability could lead to privilege escalation from user to admin. In some cases, SQL injection leads to RCE. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank Maxim Tyukov (mf0cuz) who submitted this report in HackerOne bug bounty platform |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Server |
| 6.0.0-6.0.27 |
6.0.28rc1 |
| 6.4.0-6.4.12 |
6.4.13rc1 |
| 7.0.0alpha1-7.0.0beta1 |
7.0.0beta2 |
|
9.1
|
Critical
|
ZBX-24505
|
|
Server |
6.0.0-6.0.27
6.4.0-6.4.12
7.0.0alpha1-7.0.0beta1
|
2024 May 17 |
| ZBV-2024-02-09
|
CVE-2024-22119 |
5.5 |
Medium |
Stored XSS in graph items select form
| CVE/Advisory number: |
CVE-2024-22119 |
| Synopsis: |
Stored XSS in graph items select form |
| Description: |
The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section. |
| Known Attack Vectors: |
Malicious code can be entered into Graph items Name field and can be executed when user clicks on current graph item name link. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.0.0-5.0.39 |
5.0.40rc1 |
| 6.0.0-6.0.23 |
6.0.24rc1 |
| 6.4.0-6.4.8 |
6.4.9rc1 |
| 7.0.0alpha1-7.0.0alpha7 |
7.0.0alpha8 |
|
5.5
|
Medium
|
ZBX-24070
|
|
Frontend |
5.0.0-5.0.39
6.0.0-6.0.23
6.4.0-6.4.8
7.0.0alpha1-7.0.0alpha7
|
2024 Feb 09 |
| ZBV-2023-12-18-4
|
CVE-2023-32728 |
4.6 |
Medium |
Code injection in Zabbix Agent 2 smart.disk.get caused by smartctl plugin
| CVE/Advisory number: |
CVE-2023-32728 |
| Synopsis: |
Code injection in Zabbix Agent 2 smart.disk.get caused by smartctl plugin |
| Description: |
The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution. |
| Known Attack Vectors: |
An attacker can execute arbitrary code on any device having an Zabbix Agent2 listening and having smartctl installed. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
This vulnerability is reported in HackerOne bounty hunter platform by Philippe Antoine (catenacyber) |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Agent 2 |
| 5.0.0-5.0.38 |
5.0.39rc1 |
| 6.0.0-6.0.23 |
6.0.24rc1 |
| 6.4.0-6.4.8 |
6.4.9rc1 |
| 7.0.0alpha1-7.0.0alpha7 |
7.0.0alpha8 |
|
4.6
|
Medium
|
ZBX-23858
|
|
Agent 2 |
5.0.0-5.0.38
6.0.0-6.0.23
6.4.0-6.4.8
7.0.0alpha1-7.0.0alpha7
|
2023 Dec 18 |
| ZBV-2023-12-18-3
|
CVE-2023-32727 |
6.8 |
Medium |
icmpping() code execution vulnerability
| CVE/Advisory number: |
CVE-2023-32727 |
| Synopsis: |
icmpping() code execution vulnerability |
| Description: |
An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server. |
| Known Attack Vectors: |
Current vulnerability can cause command injection |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
This vulnerability is reported in HackerOne bounty hunter platform by Philippe Antoine (catenacyber) |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Server |
| 4.0.0-4.0.49 |
4.0.50 |
| 5.0.0-5.0.38 |
5.0.39 |
| 6.0.0-6.0.22 |
6.0.23rc1 |
| 6.4.0-6.4.7 |
6.4.8rc1 |
| 7.0.0alpha0-7.0.0alpha6 |
7.0.0alpha7 |
|
6.8
|
Medium
|
ZBX-23857
|
|
Server |
4.0.0-4.0.49
5.0.0-5.0.38
6.0.0-6.0.22
6.4.0-6.4.7
7.0.0alpha0-7.0.0alpha6
|
2023 Dec 18 |
| ZBV-2023-12-18-2
|
CVE-2023-32726 |
3.9 |
Low |
Possible buffer overread from reading DNS responses
| CVE/Advisory number: |
CVE-2023-32726 |
| Synopsis: |
Possible buffer overread from reading DNS responses |
| Description: |
The vulnerability is caused by improper check for RDLENGTH, if it overflows the buffer in response from DNS server. |
| Known Attack Vectors: |
This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
This vulnerability is reported in HackerOne bounty hunter platform by Philippe Antoine (catenacyber) |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Agent |
| 5.0.0-5.0.39 |
5.0.40 |
| 6.0.0-6.0.23 |
6.0.24 |
| 6.4.0-6.4.8 |
6.4.9 |
| 7.0.0alpha1-7.0.0alpha6 |
7.0.0alpha8 |
|
3.9
|
Low
|
ZBX-23855
|
|
Agent |
5.0.0-5.0.39
6.0.0-6.0.23
6.4.0-6.4.8
7.0.0alpha1-7.0.0alpha6
|
2023 Dec 18 |
| ZBV-2023-12-18-1
|
CVE-2023-32725 |
9.6 |
Critical |
Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget.
| CVE/Advisory number: |
CVE-2023-32725 |
| Synopsis: |
Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget. |
| Description: |
The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user. |
| Known Attack Vectors: |
Any URL can be configured in a URL widget by a Zabbix user. Zabbix session cookie may become known to the holder of this website and to an attacker. The attacker can use the cookie to pretend to be the Zabbix user who created the report and authorize himself in Zabbix frontend with the privileges of this user. Note that scheduled reports are available to Admin and Super admin user types. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Web service |
| 6.0.0-6.0.21 |
6.0.22rc1 |
| 6.4.0-6.4.6 |
6.4.7rc1 |
| 7.0.0alpha1-7.0.0alpha3 |
7.0.0alpha4 |
|
9.6
|
Critical
|
ZBX-23854
|
|
Server,
Web service |
6.0.0-6.0.21
6.4.0-6.4.6
7.0.0alpha1-7.0.0alpha3
|
2023 Dec 18 |
| ZBV-2023-09-20-1
|
CVE-2023-29453 |
9.8 |
Critical |
Agent 2 package are built with Go version affected by CVE-2023-24538
| CVE/Advisory number: |
CVE-2023-29453 |
| Synopsis: |
Agent 2 package are built with Go version affected by CVE-2023-24538 |
| Description: |
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g., "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template. Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. |
| Known Attack Vectors: |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Agent2 |
| 5.0.0-5.0.34 |
5.0.35 |
| 6.0.0-6.0.17 |
6.0.18 |
| 6.4.0-6.4.2 |
6.4.3 |
|
9.8
|
Critical
|
ZBX-23388
|
|
Agent2 |
5.0.0-5.0.34
6.0.0-6.0.17
6.4.0-6.4.2
|
2023 Oct 12 |
| ZBV-2023-09-20-2
|
CVE-2023-32721 |
7.6 |
High |
Stored XSS in Maps element
| CVE/Advisory number: |
CVE-2023-32721 |
| Synopsis: |
Stored XSS in Maps element |
| Description: |
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL. |
| Known Attack Vectors: |
The impact of a successful XSS exploitation varies. In a worst-case scenario, an attacker can execute JavaScript code within the victim's browser. This opens the door to many scenarios of which the most common are session Hijacking, user Impersonation or client-Side Attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
This vulnerability was reported in HackerOne platform by prasetia |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
API,
Frontend |
| 4.0.0-4.0.47 |
4.0.48rc1 |
| 5.0.0-5.0.36 |
5.0.37rc1 |
| 6.0.0-6.0.20 |
6.0.21rc1 |
| 6.4.0-6.4.5 |
6.4.6rc1 |
| 7.0.0alpha1-7.0.0alpha3 |
7.0.0alpha4 |
|
7.6
|
High
|
ZBX-23389
|
|
API,
Frontend |
4.0.0-4.0.47
5.0.0-5.0.36
6.0.0-6.0.20
6.4.0-6.4.5
7.0.0alpha1-7.0.0alpha3
|
2023 Oct 12 |
| ZBV-2023-09-20-3
|
CVE-2023-32722 |
9.6 |
Critical |
Stack-buffer Overflow in library module zbxjson
| CVE/Advisory number: |
CVE-2023-32722 |
| Synopsis: |
Stack-buffer Overflow in library module zbxjson |
| Description: |
The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing json files via zbx_json_open. |
| Known Attack Vectors: |
Stack based buffer overflows usually lead to remote code execution. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
This vulnerability was reported in HackerOne platform by Koffi (kandersonko) |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Agent,
Proxy,
Server |
| 6.0.0-6.0.20 |
6.0.21rc1 |
| 6.4.0-6.4.5 |
6.4.6rc1 |
| 7.0.0alpha1-7.0.0alpha3 |
7.0.0alpha4 |
|
9.6
|
Critical
|
ZBX-23390
|
|
Agent,
Proxy,
Server |
6.0.0-6.0.20
6.4.0-6.4.5
7.0.0alpha1-7.0.0alpha3
|
2023 Oct 12 |
| ZBV-2023-09-20-4
|
CVE-2023-32723 |
8.5 |
High |
Inefficient permission check in class CControllerAuthenticationUpdate
| CVE/Advisory number: |
CVE-2023-32723 |
| Synopsis: |
Inefficient permission check in class CControllerAuthenticationUpdate |
| Description: |
Request to LDAP is sent before user permissions are checked. |
| Known Attack Vectors: |
This vulnerability is causing unauthorized Server-Side Request Forgery (SSRF) in Zabbix Frontend. Attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data reads or imports from URLs. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank xiaojunjie |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.19rc1 |
4.0.20rc1 |
| 4.4.0-4.4.7rc1 |
4.4.8rc1 |
| 5.0.0alpha1-5.0.0alpha3 |
5.0.0alpha4 |
|
8.5
|
High
|
ZBX-23230
|
|
Frontend |
4.0.0-4.0.19rc1
4.4.0-4.4.7rc1
5.0.0alpha1-5.0.0alpha3
|
2023 Oct 12 |
| ZBV-2023-09-20-5
|
CVE-2023-32724 |
9.1 |
Critical |
JS engine memory pointers are directly available for Zabbix users for modification
| CVE/Advisory number: |
CVE-2023-32724 |
| Synopsis: |
JS engine memory pointers are directly available for Zabbix users for modification |
| Description: |
Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation. |
| Known Attack Vectors: |
The overall impact is not limited by the limitation bypass and allows users with access to a single item configuration (limited role) to compromise the whole infrastructure of the monitoring solution by remote code execution. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
This vulnerability was reported in HackerOne platform by Pavel Voit (pavelvoit). |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Proxy,
Server |
| 5.0.0-5.0.36 |
5.0.37rc1 |
| 6.0.0-6.0.20 |
6.0.21rc1 |
| 6.4.0-6.4.5 |
6.4.6rc1 |
| 7.0.0alpha1-7.0.0alpha3 |
7.0.0alpha4 |
|
9.1
|
Critical
|
ZBX-23391
|
|
Proxy,
Server |
5.0.0-5.0.36
6.0.0-6.0.20
6.4.0-6.4.5
7.0.0alpha1-7.0.0alpha3
|
2023 Oct 12 |
| ZBV-2023-07-27-9
|
CVE-2023-29458 |
5.9 |
Medium |
Duktape 2.6 bug crashes JavaScript putting too many values in valstack.
| CVE/Advisory number: |
CVE-2023-29458 |
| Synopsis: |
Duktape 2.6 bug crashes JavaScript putting too many values in valstack. |
| Description: |
Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use. |
| Known Attack Vectors: |
This vulnerability could be uses to intentionally add too many values into valstack to crush JavaScript. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Proxy |
| 5.0.0-5.0.34 |
5.0.35rc1 |
| 6.0.0-6.0.17 |
6.0.18rc1 |
| 6.4.0-6.4.2 |
6.4.3rc1 |
| 7.0.0alpha1 |
7.0.0alpha1 |
|
5.9
|
Medium
|
ZBX-22989
|
|
Server,
Proxy |
5.0.0-5.0.34
6.0.0-6.0.17
6.4.0-6.4.2
7.0.0alpha1
|
2023 Jun 16 |
| ZBV-2023-07-27-8
|
CVE-2023-29457 |
6.3 |
Medium |
Insufficient validation of Action form input fields
| CVE/Advisory number: |
CVE-2023-29457 |
| Synopsis: |
Insufficient validation of Action form input fields |
| Description: |
Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script can be activated through Action form fields, which can be sent as request to a website with a vulnerability that enables execution of malicious scripts. |
| Known Attack Vectors: |
Using reflected XSS session cookies could be revealed, enabling a perpetrator to impersonate valid users and abuse their private accounts. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.45 |
4.0.46rc1 |
| 5.0.0-5.0.34 |
5.0.35rc1 |
| 6.0.0-6.0.17 |
6.0.18rc1 |
|
6.3
|
Medium
|
ZBX-22988
|
|
Frontend |
4.0.0-4.0.45
5.0.0-5.0.34
6.0.0-6.0.17
|
2023 Jun 16 |
| ZBV-2023-07-27-7
|
CVE-2023-29456 |
5.7 |
Medium |
Inefficient URL schema validation
| CVE/Advisory number: |
CVE-2023-29456 |
| Synopsis: |
Inefficient URL schema validation |
| Description: |
URL validation scheme receives input from a user and then parses it to identify its various components. The validation scheme can ensure that all URL components comply with internet standards. |
| Known Attack Vectors: |
This Inefficient URL schema validation leads to the XSS in maps, triggers, and other places where links can be added. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.46 |
4.0.47rc1 |
| 5.0.0-5.0.35 |
5.0.36rc1 |
| 6.0.0-6.0.18 |
6.0.19rc1 |
| 6.4.0-6.4.3 |
6.4.4rc1 |
| 7.0.0alpha1 |
7.0.0alpha2 |
|
5.7
|
Medium
|
ZBX-22987
|
|
Frontend |
4.0.0-4.0.46
5.0.0-5.0.35
6.0.0-6.0.18
6.4.0-6.4.3
7.0.0alpha1
|
2023 Jun 16 |
| ZBV-2023-07-27-6
|
CVE-2023-29455 |
5.4 |
Medium |
Reflected XSS in several fields of graph form
| CVE/Advisory number: |
CVE-2023-29455 |
| Synopsis: |
Reflected XSS in several fields of graph form |
| Description: |
Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. |
| Known Attack Vectors: |
Using this vulnerability attacker can pass malicious code as GET request to graph.php and system will save it and will execute when current graph page is opened. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0–4.0.45 |
4.0.46rc1 |
| 5.0.0–5.0.33 |
5.0.35rc1 |
|
5.4
|
Medium
|
ZBX-22986
|
|
Frontend |
4.0.0–4.0.45
5.0.0–5.0.33
|
2023 Jun 16 |
| ZBV-2023-07-27-5
|
CVE-2023-29454 |
5.4 |
Medium |
Persistent XSS in the user form
| CVE/Advisory number: |
CVE-2023-29454 |
| Synopsis: |
Persistent XSS in the user form |
| Description: |
Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages. |
| Known Attack Vectors: |
Vulnerability was found on "Users" section in "Media" tab in "Send to" form field. When new media is created with malicious code included into field "Send to" then it will execute when editing the same media. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.45 |
4.0.46rc1 |
| 5.0.0-5.0.33 |
5.0.35rc1 |
| 6.0.0-6.0.16 |
6.0.18rc1 |
|
5.4
|
Medium
|
ZBX-22985
|
|
Frontend |
4.0.0-4.0.45
5.0.0-5.0.33
6.0.0-6.0.16
|
2023 Jun 16 |
| ZBV-2023-07-27-4
|
CVE-2023-29452 |
5.5 |
Medium |
Remove possibility to add html into Geomap attribution field
| CVE/Advisory number: |
CVE-2023-29452 |
| Synopsis: |
Remove possibility to add html into Geomap attribution field |
| Description: |
Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider. |
| Known Attack Vectors: |
Information that is inserted into this field “Attribution text” is displayed in a small text box on the map. Malicious code can be entered into field and executed when user views map. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 6.0.0-6.0.17 |
6.0.18rc1 |
| 6.4.0-6.4.2 |
6.4.2rc1 |
| 7.0.0-7.0.0alpha1 |
7.0.0alpha1 |
|
5.5
|
Medium
|
ZBX-22981
|
|
Frontend |
6.0.0-6.0.17
6.4.0-6.4.2
7.0.0-7.0.0alpha1
|
2023 Jun 16 |
| ZBV-2023-07-27-3
|
CVE-2023-29451 |
4.7 |
Medium |
Denial of service caused by a bug in the JSON parser
| CVE/Advisory number: |
CVE-2023-29451 |
| Synopsis: |
Denial of service caused by a bug in the JSON parser |
| Description: |
Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy. |
| Known Attack Vectors: |
Buffer overrun causing Denial of service |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Proxy |
| 6.0-6.0.14 |
6.0.15rc1 |
| 6.2-6.2.8 |
6.2.9rc2 |
| 6.4-6.4.0 |
6.4.1rc2 |
| 7.0.0alpha1 |
7.0.0alpha1 |
|
4.7
|
Medium
|
ZBX-22587
|
|
Server,
Proxy |
6.0-6.0.14
6.2-6.2.8
6.4-6.4.0
7.0.0alpha1
|
2023 Mar 10 |
| ZBV-2023-07-27-2
|
CVE-2023-29450 |
8.5 |
High |
Unauthorized limited filesystem access from preprocessing
| CVE/Advisory number: |
CVE-2023-29450 |
| Synopsis: |
Unauthorized limited filesystem access from preprocessing |
| Description: |
JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. |
| Known Attack Vectors: |
Information disclosure |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Proxy |
| 5.0-5.0.31 |
5.0.32rc1 |
| 6.0-6.0.13 |
6.0.14rc1 (6.0.16 is recommended) |
| 6.2-6.2.7 |
6.2.8rc1 |
| 6.4-6.4.0rc1 |
6.4.0rc2 |
|
8.5
|
High
|
ZBX-22588
|
|
Server,
Proxy |
5.0-5.0.31
6.0-6.0.13
6.2-6.2.7
6.4-6.4.0rc1
|
2023 Feb 23 |
| ZBV-2023-07-27-1
|
CVE-2023-29449 |
5.9 |
Medium |
Limited control of resource utilization in JS preprocessing
| CVE/Advisory number: |
CVE-2023-29449 |
| Synopsis: |
Limited control of resource utilization in JS preprocessing |
| Description: |
JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access. |
| Known Attack Vectors: |
Allocation of resources without limits or throttling |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
None |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Proxy |
| 4.4.4-4.4.* |
- |
| 5.0.0alpha1-5.0.31 |
5.0.32rc1 |
| 5.2.0alpha1-5.2.* |
- |
| 5.4.0alpha1-5.4.* |
- |
| 6.0.0alpha1-6.0.13 |
6.0.14rc1 (6.0.16 is recommended) |
| 6.2.0alpha1-6.2.7 |
6.2.8rc1 |
| 6.4.0alpha1-6.4.0beta6 |
6.4.0rc2 |
|
5.9
|
Medium
|
ZBX-22589
|
|
Server,
Proxy |
4.4.4-4.4.*
5.0.0alpha1-5.0.31
5.2.0alpha1-5.2.*
5.4.0alpha1-5.4.*
6.0.0alpha1-6.0.13
6.2.0alpha1-6.2.7
6.4.0alpha1-6.4.0beta6
|
2023 Jan 06 |
| ZBV-2022-12-1
|
CVE-2022-43516 |
6.5 |
Medium |
Zabbix Agent installer adds “allow all TCP any any” firewall rule
| CVE/Advisory number: |
CVE-2022-43516 |
| Synopsis: |
Zabbix Agent installer adds “allow all TCP any any” firewall rule |
| Description: |
A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI) |
| Known Attack Vectors: |
An attacker can connect to all TCP services running on the machine with Zabbix Agent |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or use the workaround |
| Workaraunds: |
If an immediate update is not possible, change the applied local firewall rule to allow the agent port only. |
| Acknowledgements: |
Joshua PowellNishiyama |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Agent,
Agent2 |
| MSI pkg. (29.oct.22 - 2.dec.22) |
MSI pkg. => 3.dec.22 |
|
6.5
|
Medium
|
ZBX-22002
|
|
Agent,
Agent2 |
MSI pkg. (29.oct.22 - 2.dec.22)
|
2022 Nov 30 |
| ZBA-2022-10-1
|
- |
- |
High |
Some Zabbix products are affected by CVE-2022-3786 and CVE-2022-3602 vulnerabilities in OpenSSL
| CVE/Advisory number: |
- |
| Synopsis: |
Some Zabbix products are affected by CVE-2022-3786 and CVE-2022-3602 vulnerabilities in OpenSSL |
| Description: |
On October 25, 2022, OpenSSL teams announced a new release of OpenSSL (version 3.0.7) to address high-security vulnerabilities. The specific vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have no exploits yet, but analysts and businesses in the web security field encourage to update OpenSSL. |
| Known Attack Vectors: |
A possible buffer overrun via X.509 certificate verification, specifically in name constraint checking, on Zabbix component which supports OpenSSL. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. |
| Resolution: |
What you need to know now:
-
Zabbix Sources fully rely on OpenSSL installed in the operating system. If the system has OpenSSL 1.1.1 - 1.0.2 installed, then your Zabbix components are not affected by these vulnerabilities. If the system has OpenSSL versions 3.0.0 to 3.0.6 installed, then it is affected by this issue and OpenSSL should be updated.
OpenSSL version used by Zabbix can be determined using command line option -V:
$ zabbix_server -V
...
Compiled with OpenSSL 3.0.7 1 Nov 2022
Running with OpenSSL 3.0.7 1 Nov 2022
Similar commands for other components:
$ zabbix_proxy -V
$ zabbix_agentd -V
$ zabbix_get -V
$ zabbix_sender -V
If the lines "Compiled with ..." and "Running with ..." are not shown in output, then your Zabbix has been compiled without OpenSSL support.
-
Zabbix Appliances are not affected by the vulnerabilities, because they have been built without OpenSSL v.3.X.
-
Zabbix Agents (except agents for Solaris) are not affected by the vulnerabilities, because they have been compiled without OpenSSL v.3.X. If you use Zabbix agent <= v6.0.8 (10, 11) for Solaris, our recommendation is to update it till v6.0.9, which includes OpenSSL v. 3.0.7.
-
Zabbix Containers are affected by the vulnerabilities and utilized OpenSSL <= v. 3.0.6, so we have updated them on the 1st of November, please use them.
-
Zabbix Packages are not affected by the vulnerabilities, because they have been compiled without OpenSSL v.3.X.
|
| Workaraunds: |
If an immediate update is not possible, review network access to the vulnerable components and whitelist it. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Agent,
Containers,
Packages |
| <=v6.0.8 (Solaris) |
>=v6.0.9 (Solaris) |
| all versions <=31/Oct/2022 |
all versions >=1/Nov/2022 |
|
-
|
High
|
ZBXSEC-128
|
|
Agent,
Containers,
Packages |
<=v6.0.8 (Solaris)
all versions <=31/Oct/2022
|
2022 Oct 31 |
| ZBV-2022-10-1
|
CVE-2022-43515 |
5.3 |
Medium |
X-Forwarded-For header is active by default causes access to Zabbix sites in maintenance mode
| CVE/Advisory number: |
CVE-2022-43515 |
| Synopsis: |
X-Forwarded-For header is active by default causes access to Zabbix sites in maintenance mode |
| Description: |
Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. |
| Known Attack Vectors: |
An attacker can fabricate X-Forwarded-For header and thereby gain access to Zabbix Frontend in maintenance mode. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or use the workaround |
| Workaraunds: |
If an immediate update is not possible, limit network access to Zabbix Frontend during the maintenance window. |
| Acknowledgements: |
osman1337 |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.44 |
- |
| 5.0.0-5.0.29 |
=>5.0.30rc1 |
| 6.0.0-6.0.9 |
=>6.0.11rc1 |
| 6.2.0-6.2.4 |
=>6.2.5rc1 |
|
5.3
|
Medium
|
ZBX-22050
|
|
Frontend |
4.0.0-4.0.44
5.0.0-5.0.29
6.0.0-6.0.9
6.2.0-6.2.4
|
2022 Oct 18 |
| ZBV-2022-09-1
|
CVE-2022-46768 |
5.9 |
Medium |
File name information disclosure vulnerability in Zabbix Web Service Report Generation
| CVE/Advisory number: |
CVE-2022-46768 |
| Synopsis: |
File name information disclosure vulnerability in Zabbix Web Service Report Generation |
| Description: |
Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files. |
| Known Attack Vectors: |
An attacker can read arbitrary files on the file system without authentication with 2 pre-conditions: 1. Zabbix web service has to allow the access from attacker's IP in the zabbix_web_service.conf file; 2. Victim server has to install Google Chrome |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or use the workaround |
| Workaraunds: |
If an immediate update is not possible, limit network access to Zabbix Web Service Report Generation. |
| Acknowledgements: |
Trend Micro ZDI |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Report generation |
| 6.0.0-6.0.11 |
=>6.0.12rc1 |
| 6.2.0-6.2.5 |
=>6.2.6rc1 |
|
5.9
|
Medium
|
ZBX-22087
|
|
Report generation |
6.0.0-6.0.11
6.2.0-6.2.5
|
2022 Sep 21 |
| ZBA-2022-07-1
|
- |
- |
- |
Zabbix products are not affected by CVE-2022-2068 vulnerability in OpenSSL
| CVE/Advisory number: |
- |
| Synopsis: |
Zabbix products are not affected by CVE-2022-2068 vulnerability in OpenSSL |
| Description: |
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review and reported on 13 Jun 2022 (CVE-2022-2068). Zabbix team has evaluated all products and can conclude they are not affected by this vulnerability. |
| Known Attack Vectors: |
- |
| Resolution: |
- |
| Workaraunds: |
- |
| Acknowledgements: |
|
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| - |
|
-
|
-
|
ZBXSEC-105
|
|
- |
-
|
2022 Jul 26 |
| ZBV-2022-07-1
|
CVE-2022-40626 |
4.8 |
Medium |
Reflected XSS in action configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-40626 |
| Synopsis: |
Reflected XSS in action configuration window of Zabbix Frontend |
| Description: |
An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users. |
| Known Attack Vectors: |
When prepared link with malicious code is sent to a user with privileged rights in Zabbix and the user follows the link, the XSS payload will create a fake account with predefined login, password and role in Zabbix Frontend. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to Zabbix Frontend and contain suspicious parameters with special symbols. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 6.0.0-6.0.6 |
=>6.0.7rc1 |
| 6.2.0 |
=>6.2.1rc1 |
|
4.8
|
Medium
|
ZBX-21350
|
|
Frontend |
6.0.0-6.0.6
6.2.0
|
2022 Jul 08 |
| ZBV-2022-04-1
|
CVE-2022-35229 |
3.7 |
Low |
Reflected XSS in discovery page of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-35229 |
| Synopsis: |
Reflected XSS in discovery page of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to the discoveryconf.php page of Zabbix Frontend and contain suspicious parameters with special symbols. If you have clicked on the suspicious link, do not fill out the opened form. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| =>4.0.0 |
=>4.0.43rc1 |
| 5.0.0-5.0.24 |
=>5.0.25 |
| 6.0.0-6.0.4 |
=>6.0.5 |
| 6.2alpha1-6.2beta3 |
=>6.2.0rc1 |
|
3.7
|
Low
|
ZBX-21306
|
|
Frontend |
=>4.0.0
5.0.0-5.0.24
6.0.0-6.0.4
6.2alpha1-6.2beta3
|
2022 Apr 27 |
| ZBV-2022-04-2
|
CVE-2022-35230 |
3.7 |
Low |
Reflected XSS in graphs page of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-35230 |
| Synopsis: |
Reflected XSS in graphs page of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to the graphs.php page of Zabbix Frontend and contain suspicious parameters with special symbols. If you have clicked on the suspicious link, do not fill out the opened form |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| =>4.0.23rc1 |
=>4.0.43rc1 |
| 5.0.0-5.0.24 |
=>5.0.25rc1 |
|
3.7
|
Low
|
ZBX-21305
|
|
Frontend |
=>4.0.23rc1
5.0.0-5.0.24
|
2022 Apr 27 |
| ZBA-2022-04-1
|
- |
- |
- |
Zabbix products are not affected by vulnerabilities in Spring Framework (CVE-2022-22965 - Spring4Shell) and Spring Cloud Function (CVE-2022-22963)
| CVE/Advisory number: |
- |
| Synopsis: |
Zabbix products are not affected by vulnerabilities in Spring Framework (CVE-2022-22965 - Spring4Shell) and Spring Cloud Function (CVE-2022-22963) |
| Description: |
After the Spring cloud vulnerability (CVE-2022-22963) reported on the 1st of April, a new vulnerability called Spring4shell CVE-2022-22965 was reported on the very popular Java framework Spring Core on JDK9+. Zabbix team has evaluated all products and can conclude they are not affected by these vulnerabilities. |
| Known Attack Vectors: |
- |
| Resolution: |
- |
| Workaraunds: |
- |
| Acknowledgements: |
|
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| - |
|
-
|
-
|
ZBXSEC-90
|
|
- |
-
|
2022 Apr 04 |
| ZBA-2022-03-1
|
- |
- |
- |
Zabbix products are not affected by CVE-2018-25032 vulnerability in zlib 1.2.11
| CVE/Advisory number: |
- |
| Synopsis: |
Zabbix products are not affected by CVE-2018-25032 vulnerability in zlib 1.2.11 |
| Description: |
Zabbix team has evaluated all products, which potentially could be affected by a vulnerability identified in Zlib (v.<1.2.11, CVE-2018-25032) and allows memory corruption when deflating (e.g., when compressing) if the input has many distant matches. We can conclude that Zabbix products are not affected by this vulnerability. |
| Known Attack Vectors: |
- |
| Resolution: |
- |
| Workaraunds: |
- |
| Acknowledgements: |
|
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| - |
|
-
|
-
|
ZBXSEC-87
|
|
- |
-
|
2022 Mar 28 |
| ZBV-2022-01-2
|
CVE-2022-24917 |
3.7 |
Low |
Reflected XSS in service configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-24917 |
| Synopsis: |
Reflected XSS in service configuration window of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.38 |
=>4.0.39rc1 |
| 5.0.0-5.0.20 |
=>5.0.21rc1 |
| 5.4.0-5.4.10 |
=>5.4.11rc1 |
|
3.7
|
Low
|
ZBX-20680
|
|
Frontend |
4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4.10
|
2022 Feb 02 |
| ZBV-2022-01-3
|
CVE-2022-24918 |
3.7 |
Low |
Reflected XSS in item configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-24918 |
| Synopsis: |
Reflected XSS in item configuration window of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.0.0-5.0.20 |
=>5.0.21rc1 |
| 5.4.0-5.4.10 |
=>5.4.11rc1 |
| 6.0 |
=>6.0.1rc1 |
|
3.7
|
Low
|
ZBX-20680
|
|
Frontend |
5.0.0-5.0.20
5.4.0-5.4.10
6.0
|
2022 Feb 02 |
| ZBV-2022-01-1
|
CVE-2022-24349 |
4.6 |
Medium |
Reflected XSS in action configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-24349 |
| Synopsis: |
Reflected XSS in action configuration window of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to the actionconf.php page of Zabbix Frontend and contain suspicious parameters with special symbols. If you have clicked on the suspicious link, do not fill out the opened form. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.38 |
=>4.0.39rc1 |
| 5.0.0-5.0.20 |
=>5.0.21rc1 |
| 5.4.0-5.4 |
=>5.4.11rc1 |
| 6.0 |
=>6.0.1rc1 |
|
4.6
|
Medium
|
ZBX-20680
|
|
Frontend |
4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4
6.0
|
2022 Feb 01 |
| ZBV-2022-01-4
|
CVE-2022-24919 |
3.7 |
Low |
Reflected XSS in graph configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-24919 |
| Synopsis: |
Reflected XSS in graph configuration window of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.38 |
=>4.0.39rc1 |
| 5.0.0-5.0.20 |
=>5.0.21rc1 |
| 5.4.0-5.4.10 |
=>5.4.11rc1 |
| 6.0 |
=>6.0.1rc1 |
|
3.7
|
Low
|
ZBX-20680
|
|
Frontend |
4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4.10
6.0
|
2022 Feb 01 |
| ZBV-2021-12-2
|
CVE-2022-23134 |
3.7 |
Low |
Possible view of the setup pages by unauthenticated users if config file already exists
| CVE/Advisory number: |
CVE-2022-23134 |
| Synopsis: |
Possible view of the setup pages by unauthenticated users if config file already exists |
| Description: |
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. |
| Known Attack Vectors: |
Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or if immediate update is not possible, follow the presented below workarounds. |
| Workaraunds: |
If an immediate update is not possible, please remove the setup.php file |
| Acknowledgements: |
Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.4.0 - 5.4.8 |
5.4.9 |
| 6.0.0 - 6.0.0beta1 |
6.0.0beta2 |
|
3.7
|
Low
|
ZBX-20384
|
|
Frontend |
5.4.0 - 5.4.8
6.0.0 - 6.0.0beta1
|
2021 Dec 20 |
| ZBA-2021-12-4
|
- |
- |
Medium |
Possible remote code execution in Zabbix Java Gateway with logback 1.2.7 and prior versions
| CVE/Advisory number: |
- |
| Synopsis: |
Possible remote code execution in Zabbix Java Gateway with logback 1.2.7 and prior versions |
| Description: |
In Zabbix Java Gateway with logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. |
| Known Attack Vectors: |
A successful RCE attack with CVE-2021-42550 requires all of the following conditions to be met: write access to zabbix_java_gateway_logback.xml; use of logback versions < 1.2.9; reloading of poisoned configuration data, which implies application restart or scan="true" set prior to the attack. An attacker with such privileges may get remote access to the server with Zabbix Java Gateway |
| Resolution: |
To remediate CVE-2021-42550 apply the updates listed in the 'Fixed Version' section to appropriate products or if an immediate update is not possible, follow the presented below workarounds. As an additional measure for the fixed versions, we also recommend checking permission to /etc/zabbix/zabbix_java_gateway_logback.xml file and set it read-only, if write permissions are available for “zabbix” user. |
| Workaraunds: |
If an immediate update is not possible, check permissions for “zabbix” user: /etc/zabbix/zabbix_java_gateway_logback.xml file permissions are set to read-only only; the user cannot restart Zabbix Java Gateway service. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Java gateway |
| 2.0-2.X |
not supported |
| 3.0-3.X |
not supported |
| 4.0.0 - 4.0.36 |
4.0.37 |
| 5.0.18 |
5.0.19 |
| 5.4.0 -5.4.8 |
5.4.9 |
| 6.0.0alpha1-6.0.0beta1 |
6.0.0beta2 |
|
-
|
Medium
|
ZBX-20383
|
|
Java gateway |
2.0-2.X
3.0-3.X
4.0.0 - 4.0.36
5.0.18
5.4.0 -5.4.8
6.0.0alpha1-6.0.0beta1
|
2021 Dec 16 |
| ZBV-2021-12-3
|
CVE-2022-23133 |
6.3 |
Medium |
Stored XSS in host groups configuration window in Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-23133 |
| Synopsis: |
Stored XSS in host groups configuration window in Zabbix Frontend |
| Description: |
An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. |
| Known Attack Vectors: |
When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank Hazem Osama for reporting this issue to us |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.0.0 – 5.0.18 |
5.0.19 |
| 5.4.0 – 5.4.8 |
5.4.9 |
| 6.0.0alpha1 |
6.0.0beta1 |
|
6.3
|
Medium
|
ZBX-20388
|
|
Frontend |
5.0.0 – 5.0.18
5.4.0 – 5.4.8
6.0.0alpha1
|
2021 Dec 08 |
| ZBV-2021-12-5
|
CVE-2022-23132 |
3.3 |
Low |
Incorrect permissions of [/var/run/zabbix] forces dac_override
| CVE/Advisory number: |
CVE-2022-23132 |
| Synopsis: |
Incorrect permissions of [/var/run/zabbix] forces dac_override |
| Description: |
During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level. |
| Known Attack Vectors: |
- |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank Brian J. Murrell for reporting this issue to us |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Proxy,
Server |
| 4.0.0 - 4.0.36 |
no fixes provided |
| 5.0.18 |
5.0.19 |
| 5.4.0 – 5.4.8 |
5.4.9 |
| 6.0.0alpha1-6.0.0alpha7 |
6.0.0beta1 |
|
3.3
|
Low
|
ZBX-20341
|
|
Proxy,
Server |
4.0.0 - 4.0.36
5.0.18
5.4.0 – 5.4.8
6.0.0alpha1-6.0.0alpha7
|
2021 Dec 01 |
| ZBV-2021-11-1
|
CVE-2022-23131 |
9.1 |
Critical |
Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML
| CVE/Advisory number: |
CVE-2022-23131 |
| Synopsis: |
Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML |
| Description: |
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. |
| Known Attack Vectors: |
Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default). |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or if an immediate update is not possible, follow the presented below workarounds. |
| Workaraunds: |
Disable SAML authentication |
| Acknowledgements: |
Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.4.0 - 5.4.8 |
5.4.9 |
| 6.0.0alpha1 |
6.0.0beta1 |
|
9.1
|
Critical
|
ZBX-20350
|
|
Frontend |
5.4.0 - 5.4.8
6.0.0alpha1
|
2021 Nov 22 |