SB2024120101 - Multiple vulnerabilities in Zabbix
Published: December 1, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2024-42333)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote usre to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in src/libs/zbxmedia/email.c. A remote user can trigger an out-of-bounds read error and read contents of memory on the system.
2) Format string error (CVE-ID: CVE-2024-42330)
CWE-ID: CWE-134 - Use of Externally-Controlled Format String
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a format string error within the HttpRequest object that allows to get the HTTP headers from the server's response after sending the request. The returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. A remote user can create internal strings that can be used to access hidden properties of objects, which can lead to remote code execution.
Remediation
Install update from vendor's website.