ALT Linux Team

Package zabbix update in p11 on 2024-08-19

ALT-PU-2024-10784-3

Package zabbix updated to version 7.0.2-alt2 for branch p11 in task 354432.

Closed vulnerabilities

Published: 2024-09-13
Modified: 2024-10-08

BDU:2024-06996

Уязвимость универсальной системы мониторинга Zabbix, связанная с распределением ресурсов без ограничений и регулирования, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2024-09-13
Modified: 2026-02-16

BDU:2024-07008

Уязвимость универсальной системы мониторинга Zabbix, связанная с хранением пароля в открытом виде, позволяющая нарушителю получить доступ к конфиденциальной информации

Severity: HIGH (8.1)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Severity: HIGH (8.5)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:N
References:
Published: 2024-09-13
Modified: 2026-02-16

BDU:2024-07010

Уязвимость универсальной системы мониторинга Zabbix, связанная с разыменованием ненадежного указателя, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.1)Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
Severity: HIGH (8.0)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:C
References:
Published: 2024-12-02
Modified: 2026-02-16

BDU:2024-10543

Уязвимость функции addRelatedObjects универсальной системы мониторинга Zabbix, позволяющая нарушителю повысить свои привилегии

Severity: CRITICAL (9.9)Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL (9.0)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
References:
Published: 2024-12-05
Modified: 2026-02-16

BDU:2024-10777

Уязвимость интерфейса универсальной системы мониторинга Zabbix, позволяющая нарушителю повысить свои привилегии

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
References:
Published: 2024-12-06
Modified: 2026-02-16

BDU:2024-10866

Уязвимость механизма аутентификации Single sign-on (SSO) универсальной системы мониторинга Zabbix, позволяющая нарушителю обойти существующие ограничения безопасности и повысить свои привилегии

Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (9.0)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
References:
Published: 2024-08-12
Modified: 2025-11-03

CVE-2024-36460

The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text.

Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References:
Published: 2024-08-12
Modified: 2025-11-03

CVE-2024-36461

Within Zabbix, users have the ability to directly modify memory pointers in the JavaScript engine.

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-08-12
Modified: 2024-12-10

CVE-2024-36462

Uncontrolled resource consumption refers to a software vulnerability where a attacker or system uses excessive resources, such as CPU, memory, or network bandwidth, without proper limitations or controls. This can cause a denial-of-service (DoS) attack or degrade the performance of the affected system.

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-11-28
Modified: 2025-10-08

CVE-2024-36466

A bug in the code allows an attacker to sign a forged zbx_session cookie, which then allows them to sign in with admin permissions.

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-11-27
Modified: 2025-10-08

CVE-2024-36467

An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-11-27
Modified: 2025-10-08

CVE-2024-42327

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

Severity: CRITICAL (9.9)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References:

Closed bugs

Bug #50854

Не хватает зависимостей php-*

VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top