| Mitre ID |
CVE-2024-22114 |
| CVSS score |
4.3 |
| CVSS vector |
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Severity |
Medium |
| Summary |
System Information Widget in Global View Dashboard exposes information about Hosts to Users without Permission |
| Description |
User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard. |
| Common Weakness Enumeration (CWE) |
CWE-281 Improper Preservation of Permissions |
| Common Attack Pattern Enumeration and Classification (CAPEC) |
CAPEC-410 Information Elicitation |
| Known attack vectors |
User with no permission to hosts able to obtain statistics like total hosts count and other data through System Information Widget. |
| Details |
Information about the number of elements, availability of the Zabbix updates, and other system metrics from users and administrators will only be available to super administrators. |
| Patch provided |
No |
| Component/s |
Server, Frontend |
| Affected and fixed version/s |
5.0.0 - 5.0.42 / 5.0.43rc1
6.0.0 - 6.0.30 / 6.0.31rc1
6.4.0 - 6.4.15 / 6.4.16rc1
7.0.0alpha1 - 7.0.0rc2 / 7.0.0rc3 |
| Fix compatibility tests |
- |
| Resolution |
Fixed |
| Workarounds |
- |
| Acknowledgements |
Zabbix wants to thank Jayateertha G (jayateerthag) who submitted this report in HackerOne bug bounty platform |