CVE-2024-42331

Name

CVE-2024-42331

Description

In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
	https://support.zabbix.com/browse/ZBX-25627
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/12/msg00005.html

CPE URI	Source package	Min version	Max version
	zabbix	>= 7.0.0	<= 7.0.3
`cpe:2.3:a:zabbix:zabbix::::::::`	zabbix	>= 7.0.0	< 7.0.4

Source package	Branch	Version	Maintainer	Status
zabbix	edge-community	7.0.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
zabbix	3.22-community	7.0.1-r0	None	possibly vulnerable

References

Match rules

Vulnerable and fixed packages