Zabbix up to 5.0.42/6.0.32/6.4.17/7.0.2 access to critical private variable via public method

Summaryinfo

A vulnerability described as critical has been identified in Zabbix up to 5.0.42/6.0.32/6.4.17/7.0.2. Affected is an unknown function. Executing a manipulation can lead to access to critical private variable via public method. This vulnerability is handled as CVE-2024-36463. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability has been found in Zabbix up to 5.0.42/6.0.32/6.4.17/7.0.2 and classified as critical. This vulnerability affects an unknown code block. The manipulation with an unknown input leads to a access to critical private variable via public method vulnerability. The CWE definition for the vulnerability is CWE-767. The product defines a public method that reads or modifies a private variable. As an impact it is known to affect availability. CVE summarizes:

The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects.

The advisory is available at support.zabbix.com. This vulnerability was named CVE-2024-36463 since 05/28/2024. The exploitation appears to be easy. The attack can be initiated remotely. The technical details are unknown and an exploit is not available.

The vulnerability scanner Nessus provides a plugin with the ID 239993 (TencentOS Server 4: zabbix (TSSA-2024:1129)), which helps to determine the existence of the flaw in a target environment.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (239993). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Network Management Software

Name

• Zabbix

Version

• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.0.4
• 5.0.5
• 5.0.6
• 5.0.7
• 5.0.8
• 5.0.9
• 5.0.10
• 5.0.11
• 5.0.12
• 5.0.13
• 5.0.14
• 5.0.15
• 5.0.16
• 5.0.17
• 5.0.18
• 5.0.19
• 5.0.20
• 5.0.21
• 5.0.22
• 5.0.23
• 5.0.24
• 5.0.25
• 5.0.26
• 5.0.27
• 5.0.28
• 5.0.29
• 5.0.30
• 5.0.31
• 5.0.32
• 5.0.33
• 5.0.34
• 5.0.35
• 5.0.36
• 5.0.37
• 5.0.38
• 5.0.39
• 5.0.40
• 5.0.41
• 5.0.42
• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.0.7
• 6.0.8
• 6.0.9
• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.13
• 6.0.14
• 6.0.15
• 6.0.16
• 6.0.17
• 6.0.18
• 6.0.19
• 6.0.20
• 6.0.21
• 6.0.22
• 6.0.23
• 6.0.24
• 6.0.25
• 6.0.26
• 6.0.27
• 6.0.28
• 6.0.29
• 6.0.30
• 6.0.31
• 6.0.32
• 6.4.0
• 6.4.1
• 6.4.2
• 6.4.3
• 6.4.4
• 6.4.5
• 6.4.6
• 6.4.7
• 6.4.8
• 6.4.9
• 6.4.10
• 6.4.11
• 6.4.12
• 6.4.13
• 6.4.14
• 6.4.15
• 6.4.16
• 6.4.17
• 7.0.0
• 7.0.1
• 7.0.2

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion