SB2024120101 - Multiple vulnerabilities in Zabbix

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2024-42333)

The vulnerability allows a remote usre to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in src/libs/zbxmedia/email.c. A remote user can trigger an out-of-bounds read error and read contents of memory on the system.

2) Format string error (CVE-ID: CVE-2024-42330)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a format string error within the HttpRequest object that allows to get the HTTP headers from the server's response after sending the request. The returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. A remote user can create internal strings that can be used to access hidden properties of objects, which can lead to remote code execution.

Remediation

Install update from vendor's website.

References

• https://support.zabbix.com/browse/ZBX-25629
• https://support.zabbix.com/browse/ZBX-25626