Errata ALT-PU-2024-1565-3: Information
Fixes
Published: May 11, 2023
BDU:2023-06803
Уязвимость интерфейса универсальной системы мониторинга Zabbix, позволяющая нарушителю проводить межсайтовые сценарные атаки
Severity: HIGH (7.6) Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Links:
Published: Sept. 11, 2023
BDU:2023-08246
Уязвимость модуля zabbix/src/libs/zbxjson универсальной системы мониторинга Zabbix, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.6) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Links:
Published: Dec. 18, 2023
BDU:2024-00033
Уязвимость функции icmpping универсальной системы мониторинга Zabbix, позволяющая нарушителю выполнить произвольный код
Severity: HIGH (7.2) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Dec. 18, 2023
BDU:2024-00645
Уязвимость компонента DNS Response Handler агента универсальной системы мониторинга Zabbix, позволяющая нарушителю вызвать переполнение буфера
Severity: HIGH (8.1) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Oct. 12, 2023
Modified: Jan. 25, 2024
Modified: Jan. 25, 2024
CVE-2023-32721
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.
Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Links:
Published: Oct. 12, 2023
Modified: Oct. 17, 2023
Modified: Oct. 17, 2023
CVE-2023-32722
The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.
Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Oct. 12, 2023
Modified: Oct. 17, 2023
Modified: Oct. 17, 2023
CVE-2023-32724
Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Dec. 18, 2023
Modified: Jan. 25, 2024
Modified: Jan. 25, 2024
CVE-2023-32726
The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.
Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
- https://support.zabbix.com/browse/ZBX-23855
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMFKNV5E4LG2DIZNPRWQ2ENH75H6UEQT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BYSYLA7VTHR25CBLYO5ZLEJFGU7HTHQB/
- https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html
Published: Dec. 18, 2023
Modified: Dec. 22, 2023
Modified: Dec. 22, 2023
CVE-2023-32727
An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.
Severity: HIGH (7.2) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Dec. 18, 2023
Modified: Dec. 22, 2023
Modified: Dec. 22, 2023
CVE-2023-32728
The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links: