SB2024120104 - Fedora EPEL 9 update for zabbix

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024120104

SB2024120104 - Fedora EPEL 9 update for zabbix

Published: December 1, 2024

Security Bulletin ID SB2024120104
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Format string error (CVE-ID: CVE-2024-42330)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a format string error within the HttpRequest object that allows to get the HTTP headers from the server's response after sending the request. The returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. A remote user can create internal strings that can be used to access hidden properties of objects, which can lead to remote code execution.


2) Improper output neutralization for logs (CVE-ID: CVE-2024-42332)

The vulnerability allows a remote attacker to spoof contents of the log files.

The vulnerability exists due to an error when parsing SNMP trap logs. A remote attacker can send specially crafted input to the application and spoof the contents log files shown via the Zabbix UI.

Note, successful exploitation of the vulnerability requires that the SNMP authentication is turned off and/or the attacker has knowledge of the community/auth details.


3) Out-of-bounds read (CVE-ID: CVE-2024-42333)

The vulnerability allows a remote usre to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in src/libs/zbxmedia/email.c. A remote user can trigger an out-of-bounds read error and read contents of memory on the system.


Remediation

Install update from vendor's website.

References