[Git][security-tracker-team/security-tracker][master] Update DLA-3909-1 to include the additionally fixed CVEs.

Tobias Frost (@tobi) tobi at debian.org
Sat Dec 7 16:31:25 GMT 2024 


Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
61210e73 by Tobias Frost at 2024-12-07T17:30:39+01:00
Update DLA-3909-1 to include the additionally fixed CVEs.

Since the upload of 1:5.0.44+dfsg-1+deb11u1 information became available
that the uploaded version fixed the following vulnerabilties in addition
to the already communicated ones:

CVE-2024-22117

    When a URL is added to the map element, it is recorded in the database
    with sequential IDs. Upon adding a new URL, the system retrieves the
    last sysmapelementurlid value and increments it by one. However, an
    issue arises when a user manually changes the sysmapelementurlid value
    by adding sysmapelementurlid + 1. This action prevents others from
    adding URLs to the map element.

CVE-2024-36463

    The implementation of atob in "Zabbix JS" allows to create a string with
    arbitrary content and use it to access internal properties of objects.

CVE-2024-36467

    An authenticated user with API access (e.g.: user with default User
    role), more specifically a user with access to the user.update API
    endpoint is enough to be able to add themselves to any group (e.g.:
    Zabbix Administrators), except to groups that are disabled or having
    restricted GUI access.

- - - - -


1 changed file:

- data/DLA/list


Changes:

=====================================
data/DLA/list
=====================================
@@ -224,7 +224,7 @@
 	{CVE-2022-1304}
 	[bullseye] - e2fsprogs 1.46.2-2+deb11u1
 [03 Oct 2024] DLA-3909-1 zabbix - security update
-	{CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917 CVE-2022-24918 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230 CVE-2022-43515 CVE-2023-29449 CVE-2023-29450 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458 CVE-2023-32721 CVE-2023-32722 CVE-2023-32724 CVE-2023-32726 CVE-2023-32727 CVE-2024-22114 CVE-2024-22116 CVE-2024-22119 CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461}
+	{CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917 CVE-2022-24918 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230 CVE-2022-43515 CVE-2023-29449 CVE-2023-29450 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458 CVE-2023-32721 CVE-2023-32722 CVE-2023-32724 CVE-2023-32726 CVE-2023-32727 CVE-2024-22114 CVE-2024-22116 CVE-2024-22117 CVE-2024-22119 CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461 CVE-2024-36463 CVE-2024-36467}
 	[bullseye] - zabbix 1:5.0.44+dfsg-1+deb11u1
 [30 Sep 2024] DLA-3908-1 debian-security-support - update
 	[bullseye] - debian-security-support 1:11+2024.09.30



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61210e735e6c92881c2a75e3dc5545414f4f2f71

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61210e735e6c92881c2a75e3dc5545414f4f2f71
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241207/27085bbb/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list