Main Vulnerability Database Vulnerabilities #VU101062

Format string error in Zabbix - CVE-2024-42330

Published: December 1, 2024

Vulnerability identifier: #VU101062

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-42330

CWE-ID: CWE-134

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Zabbix

Affected software:
Zabbix

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a format string error within the HttpRequest object that allows to get the HTTP headers from the server's response after sending the request. The returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. A remote user can create internal strings that can be used to access hidden properties of objects, which can lead to remote code execution.

How to mitigate CVE-2024-42330

Install updates from vendor's website.

Sources

https://support.zabbix.com/browse/ZBX-25626

Format string error in Zabbix - CVE-2024-42330

Detailed vulnerability description

How to mitigate CVE-2024-42330

Sources

Please verify you're human