Zabbix Security Update Advisory
Overview
An update has been released to address vulnerabilities in Zabbix. Users of the affected versions are advised to update to the latest version.
Affected Products
CVE-2024-42327
- Zabbix FrontEnd versions: 6.0.0 (inclusive) ~ 6.0.31 (inclusive)
- Zabbix FrontEnd versions: 6.4.0 (inclusive) ~ 6.4.16 (inclusive)
- Zabbix FrontEnd version: 7.0.0
CVE-2024-42330
- Zabbix versions: 6.0.0 (inclusive) ~ 6.0.33 (inclusive)
- Zabbix versions: 6.4.0 (inclusive) ~ 6.4.18 (inclusive)
- Zabbix versions: 7.0.0 (inclusive) ~ 7.0.3 (inclusive)
Resolved Vulnerabilities
A non-administrator user account with API access could exploit a SQL injection vulnerability in the addRelatedObjects function of the CUser class (CVE-2024-42327)
Vulnerability in which the HttpRequest object did not properly encode strings when processing HTTP headers in the server’s response, resulting in the creation of an internal string, allowing access to hidden properties of the object (CVE-2024-42330)
Vulnerability Patches
Vvulnerability Patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-42327
- Zabbix FrontEnd version: 6.0.32rc1
- Zabbix FrontEnd version: 6.4.17rc1
- Zabbix FrontEnd version: 7.0.1rc1
CVE-2024-42330
- Zabbix version: 6.0.34rc1
- Zabbix version: 6.4.19rc1
- Zabbix version: 7.0.4rc1
Referenced Sites
[1] CVE-2024-42327 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-42327
[2] SQL injection in user.get API (CVE-2024-42327)
https://support.zabbix.com/browse/ZBX-25623
[3] CVE-2024-42330 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-42330
[4] JS – Internal strings in HTTP headers (CVE-2024-42330)