CVE-2024-42327

CVE-2024-42327

Name

CVE-2024-42327

Description

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
	https://support.zabbix.com/browse/ZBX-25623

Type

URI

https://support.zabbix.com/browse/ZBX-25623

Match rules

CPE URI	Source package	Min version	Max version
	zabbix	>= 6.0.0	<= 6.0.31
	zabbix	>= 6.4.0	<= 6.4.16
	zabbix	>= 7.0.0	<= 7.0.1
`cpe:2.3:a:zabbix:zabbix::::::::`	zabbix	>= 6.0.0	<= 6.0.31
`cpe:2.3:a:zabbix:zabbix::::::::`	zabbix	>= 6.4.0	<= 6.4.16
`cpe:2.3:a:zabbix:zabbix::::::::`	zabbix	>= 7.0.0	<= 7.0.1

CPE URI

Source package

Min version

Max version

zabbix

>= 6.0.0

<= 6.0.31

zabbix

>= 6.4.0

<= 6.4.16

zabbix

>= 7.0.0

<= 7.0.1

cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*

zabbix

>= 6.0.0

<= 6.0.31

cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*

zabbix

>= 6.4.0

<= 6.4.16

cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*

zabbix

>= 7.0.0

<= 7.0.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
zabbix	edge-community	7.0.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	fixed
zabbix	3.20-community	6.4.18-r0	Kevin Daudt <kdaudt@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

zabbix

edge-community

7.0.1-r0

Kevin Daudt <kdaudt@alpinelinux.org>

fixed

zabbix

3.20-community

6.4.18-r0

Kevin Daudt <kdaudt@alpinelinux.org>

fixed

References

Match rules

Vulnerable and fixed packages