Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-42327

Опубликовано: 27 нояб. 2024
Источник: debian
EPSS Высокий

Описание

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
zabbixfixed1:7.0.1+dfsg-1package
zabbixnot-affectedbullseyepackage

Примечания

  • https://support.zabbix.com/browse/ZBX-25623

  • Fixed by: https://github.com/zabbix/zabbix/commit/9256f8d933a50a468ae36e7a40301aa761941612 (7.0.1rc1)

  • Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/39ff97dbf6f229a1b9c4f38db061aa73dd680828 (6.0.32rc1)

  • Userroles introduced with commit https://github.com/zabbix/zabbix/commit/e5f4a103352a2e182c177236079bbe2a22907e45 (6.0.0alpha1)

EPSS

Процентиль: 99%
0.87701
Высокий

Связанные уязвимости

ubuntu логотип

CVE-2024-42327

CVSS3: 9.9
ubuntu
10 месяцев назад

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

nvd логотип

CVE-2024-42327

CVSS3: 9.9
nvd
10 месяцев назад

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

github логотип

GHSA-gx59-7g62-6xhg

CVSS3: 9.9
github
10 месяцев назад

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

fstec логотип

BDU:2024-10543

CVSS3: 9.9
fstec
10 месяцев назад

Уязвимость функции addRelatedObjects универсальной системы мониторинга Zabbix, позволяющая нарушителю повысить свои привилегии

redos логотип

ROS-20241212-24

CVSS3: 9.9
redos
9 месяцев назад

Уязвимость zabbix7-lts-server-pgsql

EPSS

Процентиль: 99%
0.87701
Высокий