-
Defect (Security)
-
Resolution: Fixed
-
Critical
-
None
-
None
| Mitre ID | CVE-2023-32724 |
| CVSS score | 9.1 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H |
| Severity | Critical |
| Summary | JS engine memory pointers are directly available for Zabbix users for modification |
| Description | Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation. |
| Known attack vectors | The overall impact is not limited by the limitation bypass and allows users with access to a single item configuration (limited role) to compromise the whole infrastructure of the monitoring solution by remote code execution. |
| Patch provided | No |
| Component/s | Proxy, Server |
| Affected version/s and fix version/s | 5.0.0 - 5.0.36 / 5.0.37rc1 6.0.0 - 6.0.20 / 6.0.21rc1 6.4.0 - 6.4.5 / 6.4.6rc1 7.0.0alpha1 - 7.0.0alpha3 / 7.0.0alpha4 |
| Fix compatibility tests | - |
| Resolution | Fixed |
| Workarounds | - |
| Acknowledgements | This vulnerability is reported in HackerOne platform by Pavel Voit (pavelvoit). |