-
Defect (Security)
-
Resolution: Fixed
-
Major
-
7.0.0
-
None
| Mitre ID | CVE-2024-36462 |
| CVSS score | 7.5 |
| CVSS vector | https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Severity | High |
| Summary | Allocation of resources without limits or throttling (uncontrolled resource consumption) |
| Description | Uncontrolled resource consumption refers to a software vulnerability where a attacker or system uses excessive resources, such as CPU, memory, or network bandwidth, without proper limitations or controls. This can cause a denial-of-service (DoS) attack or degrade the performance of the affected system. An attacker could use the browser item script to crash Zabbix server. |
| Common Weakness Enumeration (CWE) | CWE-770 Allocation of Resources Without Limits or Throttling |
| Common Attack Pattern Enumeration and Classification (CAPEC) | CAPEC-130 Excessive Allocation CAPEC-469 HTTP DoS |
| Known attack vectors | Results as Zabbix server crash can be used as a DDoS attack |
| Details | While checking information available on Zabbix security advisories page and new features developed in Zabbix it was discovered CVE-2023-29449 is present in: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/src/libs/zbxembed/browser_perf.c#806 An attacker can use the browser item script to crash Zabsbix server. |
| Patch provided | No |
| Component/s | Server |
| Affected and fixed version/s | 7.0.0alpha1 - 7.0.0 / 7.0.1rc1 |
| Fix compatibility tests | - |
| Resolution | Fixed |
| Workarounds | - |
| Acknowledgements | Zabbix extends its gratitude to justonezero for submitting this report on the HackerOne bug bounty platform |