ELA-1409-1 zabbix security update

multiple vulnerabilities

2025-04-27
Packagezabbix
Version1:2.2.23+dfsg-0+deb8u10 (jessie), 1:4.0.4+dfsg-1+deb10u6 (buster)
Related CVEs CVE-2024-22114 CVE-2024-22116 CVE-2024-22117 CVE-2024-22122 CVE-2024-22123 CVE-2024-36464 CVE-2024-36467 CVE-2024-36469 CVE-2024-42325 CVE-2024-42332 CVE-2024-42333 CVE-2024-45700


Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially among other effects allowing XSS, Code Execution, information disclosure, remote code execution, impersonation or session hijacking.

Most of the CVEs are targeting the buster update, the CVE targeting jessie is marked accordingly.

CVE-2024-22114

A user with no permission to any of the Hosts can access and view host
count & other statistics through System Information Widget in Global
View Dashboard.

CVE-2024-22116

An administrator with restricted permissions can exploit the script
execution functionality within the Monitoring Hosts section. The lack of
default escaping for script parameters enabled this user ability to
execute arbitrary code via the Ping script, thereby compromising
infrastructure.

CVE-2024-22117

When a URL is added to the map element, it is recorded in the database
with sequential IDs. Upon adding a new URL, the system retrieves the
last sysmapelementurlid value and increments it by one. However, an
issue arises when a user manually changes the sysmapelementurlid value
by adding sysmapelementurlid + 1. This action prevents others from
adding URLs to the map element.

CVE-2024-22122

Zabbix allows to configure SMS notifications. AT command injection
occurs on "Zabbix Server" because there is no validation of "Number"
field on Web nor on Zabbix server side. Attacker can run test of SMS
providing specially crafted phone number and execute additional AT
commands on the modem.

CVE-2024-22123

Setting SMS media allows to set GSM modem file. Later this file is used
as Linux device. But due everything is a file for Linux, it is possible
to set another file, e.g. log file and zabbix_server will try to
communicate with it as modem. As a result, log file will be broken with
AT commands and small part for log file content will be leaked to UI.

CVE-2024-36464

When exporting media types, the password is exported in the YAML in
plain text. This appears to be a best practices type issue and may
have no actual impact. The user would need to have permissions to
access the media types and therefore would be expected to have
access to these passwords.

CVE-2024-36467

An authenticated user with API access (e.g.: user with default User
role), more specifically a user with access to the user.update API
endpoint is enough to be able to add themselves to any group
(e.g.: Zabbix Administrators), except to groups that are disabled
or having restricted GUI access.

CVE-2024-36469

Execution time for an unsuccessful login differs when using a
non-existing username compared to using an existing one.

CVE-2024-42325 (jessie and buster)

Zabbix API user.get returns all users that share common group with the
calling user. This includes media and other information, such as login
attempts, etc.

CVE-2024-42332

The researcher is showing that due to the way the SNMP trap log is
parsed, an attacker can craft an SNMP trap with additional lines of
information and have forged data show in the Zabbix UI. This attack
requires SNMP auth to be off and/or the attacker to know the
community/auth details. The attack requires an SNMP item to be
configured as text on the target host.

CVE-2024-42333

The researcher is showing that it is possible to leak a small amount
of Zabbix Server memory using an out of bounds read in
src/libs/zbxmedia/email.c

CVE-2024-45700

Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled
resource exhaustion. An attacker can send specially crafted requests to
the server, which will cause the server to allocate an excessive amount
of memory and perform CPU-intensive decompression operations, ultimately
leading to a service crash.


For Debian 10 buster, these problems have been fixed in version 1:4.0.4+dfsg-1+deb10u6.

For Debian 8 jessie, these problems have been fixed in version 1:2.2.23+dfsg-0+deb8u10.

We recommend that you upgrade your zabbix packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.