Debian LTS: DLA-3984-1: zabbix Security Advisory Updates
debian lts
December 7, 2024
Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially among other effects allowing denial of service, information disclosure, ...
Topics Covered
Summary
CVE-2024-36464
When exporting media types, the password is exported in the YAML in
plain text. This appears to be a best practices type issue and may
have no actual impact. The user would need to have permissions to
access the media types and therefore would be expected to have
access to these passwords.
CVE-2024-42330
The HttpRequest object allows to get the HTTP headers from the
server's response after sending the request. The problem is that the
returned strings are created directly from the data returned by the
server and are not correctly encoded for JavaScript. This allows to
create internal strings that can be used to access hidden properties
of objects.
CVE-2024-42331
In the src/libs/zbxembed/browser.c file, the es_browser_ctor method
retrieves a heap pointer from the Duktape JavaScript engine. This
heap pointer is subsequently utilized by the browser_push_error
method in the src/libs/zbxembed/browser_error.c file. A
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: zabbix
Version: 1:5.0.45+dfsg-1+deb11u1
CVE ID: CVE-2024-36464 CVE-2024-42330 CVE-2024-42331 CVE-2024-42332
Debian Bug: 1088689
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!