-
Defect (Security)
-
Resolution: Fixed
-
Minor
-
5.0.42, 6.0.30, 6.4.15, 7.0.0rc2
-
None
| Mitre ID | CVE-2024-22114 |
| CVSS score | 4.3 |
| CVSS vector | https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Severity | Medium |
| Summary | System Information Widget in Global View Dashboard exposes information about Hosts to Users without Permission |
| Description | User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard. |
| Common Weakness Enumeration (CWE) | CWE-281 Improper Preservation of Permissions |
| Common Attack Pattern Enumeration and Classification (CAPEC) | CAPEC-410 Information Elicitation |
| Known attack vectors | User with no permission to hosts able to obtain statistics like total hosts count and other data through System Information Widget. |
| Details | Information about the number of elements, availability of the Zabbix updates, and other system metrics from users and administrators will only be available to super administrators. |
| Patch provided | No |
| Component/s | Server, Frontend |
| Affected and fixed version/s | 5.0.0 - 5.0.42 / 5.0.43rc1 6.0.0 - 6.0.30 / 6.0.31rc1 6.4.0 - 6.4.15 / 6.4.16rc1 7.0.0alpha1 - 7.0.0rc2 / 7.0.0rc3 |
| Fix compatibility tests | - |
| Resolution | Fixed |
| Workarounds | - |
| Acknowledgements | Zabbix wants to thank Jayateertha G (jayateerthag) who submitted this report in HackerOne bug bounty platform |