Summary
Some new vulnerabilities, including 2 with “critical” severity and 2 with “high” severity, have been discovered in Zabbix, a well-known open source product for monitoring networks and computer systems.
Notes (updated 05/12/2024): a Proof of Concept (PoC) for the exploitation of CVE-2024-42327 is available online.
Risk (updated 05/12/2024)
Estimate of the impact of the vulnerability on the reference community: SERIOUS/RED (79.35/100)1.
Type
- Authentication Bypass
- Privilege Escalation
- Remote Code Execution
Affected Products and Versions
Zabbix
- 5.0.x, from version 5.0.0 to 5.0.42
- 6.0.x, from version 6.0.0 to 6.0.33
- 6.4.x, from version 6.4.0 to 6.4.18
- 7.0.x, from version 7.0.0 to 7.0.3
Mitigation Actions
It is recommended to update the affected product to the latest available version.
Unique Vulnerability Identifiers
References
https://www.zabbix.com/security_advisories
https://support.zabbix.com/browse/ZBX-25623
https://support.zabbix.com/browse/ZBX-25626
https://support.zabbix.com/browse/ZBX-25614
https://support.zabbix.com/browse/ZBX-25635
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
