Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-42327

Опубликовано: 27 нояб. 2024
Источник: debian

Описание

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
zabbixfixed1:7.0.1+dfsg-1package
zabbixnot-affectedbullseyepackage

Примечания

  • https://support.zabbix.com/browse/ZBX-25623

  • Fixed by: https://github.com/zabbix/zabbix/commit/9256f8d933a50a468ae36e7a40301aa761941612 (7.0.1rc1)

  • Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/39ff97dbf6f229a1b9c4f38db061aa73dd680828 (6.0.32rc1)

  • Userroles introduced with commit https://github.com/zabbix/zabbix/commit/e5f4a103352a2e182c177236079bbe2a22907e45 (6.0.0alpha1)

Связанные уязвимости

ubuntu логотип

CVE-2024-42327

CVSS3: 9.9
ubuntu
около 1 года назад

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

nvd логотип

CVE-2024-42327

CVSS3: 9.9
nvd
около 1 года назад

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

github логотип

GHSA-gx59-7g62-6xhg

CVSS3: 9.9
github
около 1 года назад

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

fstec логотип

BDU:2024-10543

CVSS3: 9.9
fstec
около 1 года назад

Уязвимость функции addRelatedObjects универсальной системы мониторинга Zabbix, позволяющая нарушителю повысить свои привилегии

redos логотип

ROS-20241212-24

CVSS3: 9.9
redos
около 1 года назад

Уязвимость zabbix7-lts-server-pgsql