| Mitre ID |
CVE-2023-32724 |
| CVSS score |
9.1
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H |
| Severity |
Critical |
| Summary |
JS engine memory pointers are directly available for Zabbix users for modification |
| Description |
Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation. |
| Known attack vectors |
The overall impact is not limited by the limitation bypass and allows users with access to a single item configuration (limited role) to compromise the whole infrastructure of the monitoring solution by remote code execution. |
| Patch provided |
No |
| Component/s |
Proxy, Server |
| Affected version/s and fix version/s |
5.0.0 - 5.0.36 / 5.0.37rc1
6.0.0 - 6.0.20 / 6.0.21rc1
6.4.0 - 6.4.5 / 6.4.6rc1
7.0.0alpha1 - 7.0.0alpha3 / 7.0.0alpha4 |
| Fix compatibility tests |
- |
| Resolution |
Fixed |
| Workarounds |
- |
| Acknowledgements |
This vulnerability is reported in HackerOne platform by Pavel Voit (pavelvoit). |