Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-42327

Опубликовано: 27 нояб. 2024
Источник: debian
EPSS Высокий

Описание

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
zabbixfixed1:7.0.1+dfsg-1package
zabbixnot-affectedbullseyepackage

Примечания

  • https://support.zabbix.com/browse/ZBX-25623

  • Fixed by: https://github.com/zabbix/zabbix/commit/9256f8d933a50a468ae36e7a40301aa761941612 (7.0.1rc1)

  • Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/39ff97dbf6f229a1b9c4f38db061aa73dd680828 (6.0.32rc1)

  • Userroles introduced with commit https://github.com/zabbix/zabbix/commit/e5f4a103352a2e182c177236079bbe2a22907e45 (6.0.0alpha1)

EPSS

Процентиль: 99%
0.86829
Высокий

Связанные уязвимости

ubuntu логотип

CVE-2024-42327

CVSS3: 9.9
ubuntu
7 месяцев назад

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

nvd логотип

CVE-2024-42327

CVSS3: 9.9
nvd
7 месяцев назад

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

github логотип

GHSA-gx59-7g62-6xhg

CVSS3: 9.9
github
7 месяцев назад

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

fstec логотип

BDU:2024-10543

CVSS3: 9.9
fstec
7 месяцев назад

Уязвимость функции addRelatedObjects универсальной системы мониторинга Zabbix, позволяющая нарушителю повысить свои привилегии

redos логотип

ROS-20241212-24

CVSS3: 9.9
redos
6 месяцев назад

Уязвимость zabbix7-lts-server-pgsql

EPSS

Процентиль: 99%
0.86829
Высокий