Описание
In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| zabbix | fixed | 1:7.0.5+dfsg-1 | package |
Примечания
https://support.zabbix.com/browse/ZBX-25627
Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/e1bcc14d49a779587b6f31dddaf1ccbba4008d20 (7.0.4rc1)
and additionally https://github.com/zabbix/zabbix/commit/e731ed95fda7572ebae5eaffaa70f41e8f897e0d (7.0.4rc1)
Связанные уязвимости
In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection.
In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection.
In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection.
Уязвимость сценария src/libs/zbxembed/browser.c универсальной системы мониторинга Zabbix, позволяющая нарушителю вызвать отказ в обслуживании (DoS)
