[Git][security-tracker-team/security-tracker][master] CVE-2024-36462/zabbix - vulnerable feature introduced with 7.0.0

Tobias Frost (@tobi) tobi at debian.org
Sun Sep 15 13:36:17 BST 2024 


Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7ea0c417 by Tobias Frost at 2024-09-15T14:28:14+02:00
CVE-2024-36462/zabbix - vulnerable feature introduced with 7.0.0

"Browser Monitoring" was a new feature in 7.0.0 [1]

hat means bookworm and older is not affected.

Introduced with commit https://github.com/zabbix/zabbix/commit/036f3e14be3 first seen in tag 7.0.0rc1
Upstream Ticket: https://support.zabbix.com/browse/ZBXNEXT-9150

The problem ticket for this CVE is https://support.zabbix.com/browse/ZBX-25019
The changelog entry, identified by the handle ZBX-25019 for this reads:

........S. [ZBX-25019] introduced limits to WebDriver performance data collection (dgoloscapov)

Looking at the git log, this gets us to the dev ticket:
........S. [DEV-3757] introduced limits to WebDriver performance data collection

which has been merged with upstream commit 36663df8e81f073b049fba2c595a4bb7c6adea68 [2].

[1] https://www.zabbix.com/documentation/7.0/en/manual/introduction/whatsnew700#browser-items
[2] https://github.com/zabbix/zabbix/commit/36663df8e81f073b049fba2c595a4bb7c6adea68

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -8201,7 +8201,11 @@ CVE-2024-37826 (A NULL pointer dereference in vercot Serva v4.6.0 allows attacke
 	NOT-FOR-US: vercot Serva
 CVE-2024-36462 (Uncontrolled resource consumption refers to a software vulnerability w ...)
 	- zabbix 1:7.0.1+dfsg-1 (bug #1078553)
+	[bookworm] - zabbix <not-affected> (feature not present)
+	[bullseye] - zabbix <not-affected> (feature not present)
 	NOTE: https://support.zabbix.com/browse/ZBX-25019
+	NOTE: fix: https://github.com/zabbix/zabbix/commit/36663df8e81f073b049fba2c595a4bb7c6adea68a (7.0.x)
+	NOTE: WebDriver (Browser monitoring) feature introduced in https://github.com/zabbix/zabbix/commit/036f3e14be3, first seen in 7.0.0rc1
 CVE-2024-36461 (Within Zabbix, users have the ability to directly modify memory pointe ...)
 	- zabbix 1:7.0.1+dfsg-1 (bug #1078553)
 	NOTE: https://support.zabbix.com/browse/ZBX-25018



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ea0c417b4e1b2b9f342a630184dfc6e6112a892

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ea0c417b4e1b2b9f342a630184dfc6e6112a892
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240915/d1502bb2/attachment.htm>

More information about the debian-security-tracker-commits mailing list