[Git][security-tracker-team/security-tracker][master] more zabbix triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Feb 6 13:06:48 GMT 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
46935a17 by Moritz Muehlenhoff at 2026-02-06T14:06:25+01:00
more zabbix triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -107609,12 +107609,14 @@ CVE-2024-45700 (Zabbix server is vulnerable to a DoS vulnerability due to uncont
CVE-2024-45699 (The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross- ...)
{DLA-4131-1}
- zabbix 1:7.0.9+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-26254
NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/4c2cf43fade6ea6239f9cba32527a547461bdec9 (7.0.7rc1)
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/6b98ae293a088183b1c1ba0428664d76f98ef36c (6.0.37rc1)
CVE-2024-42325 (Zabbix API user.get returns all users that share common group with the ...)
{DLA-4131-1}
- zabbix 1:7.0.9+dfsg-1
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-26258
NOTE: Fixed by (merge commit) https://github.com/zabbix/zabbix/commit/652fd57e8d93b2890f7484771d4fdf290a459b11 (7.0.9rc1)
NOTE: Fixed by (merge commit) https://github.com/zabbix/zabbix/commit/2b6d97beac19674ad238f98f971cf83dca352386 (6.0.38rc1)
@@ -107629,6 +107631,7 @@ CVE-2024-39780 (A YAML deserialization vulnerability was found in the Robot Oper
CVE-2024-36469 (Execution time for an unsuccessful login differs when using a non-exis ...)
{DLA-4131-1}
- zabbix 1:7.0.9+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-26255
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/5193aba71cd6db8f0d7e53f88eb6e6e5b7c88102 (7.0.9rc1)
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/4735c3bac34036fd70c57b5f057da0e27c9cb2b4 (6.0.38rc1)
@@ -147310,6 +147313,7 @@ CVE-2024-38309 (There are multiple stack-based buffer overflow vulnerabilities i
NOT-FOR-US: Fuji
CVE-2024-36466 (A bug in the code allows an attacker to sign a forged zbx_session cook ...)
- zabbix 1:7.0.1+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[bullseye] - zabbix <not-affected> (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-25635
NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/6e39148b7361312f730d87e4438f692a2c39d07e (7.0.1rc1)
@@ -147397,24 +147401,28 @@ CVE-2024-46054 (OpenVidReview 1.0 is vulnerable to Incorrect Access Control. The
CVE-2024-42333 (The researcher is showing that it is possible to leak a small amount o ...)
{DLA-3984-1}
- zabbix 1:7.0.5+dfsg-1 (bug #1088689)
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-25629
NOTE: Fixed by https://github.com/zabbix/zabbix/commit/72d2ce61872fcbace8f8dfdabc0568c99980989d (7.0.4rc1)
NOTE: Fixed by (merge commit) https://github.com/zabbix/zabbix/commit/c4ea57b823cb6a4c2cb0796f500e862fbb6a46ea (6.0.35rc1)
CVE-2024-42332 (The researcher is showing that due to the way the SNMP trap log is par ...)
{DLA-3984-1}
- zabbix 1:7.0.5+dfsg-1 (bug #1088689)
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-25628
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/e2982fbe05fe0a232c3fd71f2a3426a0bf400f77 (7.0.5rc1)
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/c539a227623343187d9907186bce7c9c3bc57a52 (6.0.35rc1)
CVE-2024-42331 (In the src/libs/zbxembed/browser.c file, the es_browser_ctor method re ...)
{DLA-3984-1}
- zabbix 1:7.0.5+dfsg-1 (bug #1088689)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25627
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/e1bcc14d49a779587b6f31dddaf1ccbba4008d20 (7.0.4rc1)
NOTE: and additionally https://github.com/zabbix/zabbix/commit/e731ed95fda7572ebae5eaffaa70f41e8f897e0d (7.0.4rc1)
CVE-2024-42330 (The HttpRequest object allows to get the HTTP headers from the server' ...)
{DLA-3984-1}
- zabbix 1:7.0.5+dfsg-1 (bug #1088689)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25626
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/e82c5941242edc9f4a96e101caaf27e106f73f47 (7.0.4rc1)
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/6dfc7a30e8e3ecd984cb64da6430f4c1fc61ec2d (6.0.34rc1)
@@ -147434,6 +147442,7 @@ CVE-2024-42328 (When the webdriver for the Browser object downloads data from a
NOTE: webdriver introduced with commit https://github.com/zabbix/zabbix/commit/4d22c15fe4499602e0da5399e3dd6dc9da03277b (7.0.0rc1)
CVE-2024-42327 (A non-admin user account on the Zabbix frontend with the default User ...)
- zabbix 1:7.0.1+dfsg-1 (bug #1088689)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[bullseye] - zabbix <not-affected> (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-25623
NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/9256f8d933a50a468ae36e7a40301aa761941612 (7.0.1rc1)
@@ -147462,6 +147471,7 @@ CVE-2024-36468 (The reported vulnerability is a stack buffer overflow in the zbx
CVE-2024-36464 (When exporting media types, the password is exported in the YAML in pl ...)
{DLA-3984-1}
- zabbix 1:7.0.9+dfsg-1 (bug #1090030)
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-25630
NOTE: Despite upstream claiming fixed in 6.0.30rc1, can reproduce with 6.0.36 (package from upstream)
NOTE: Can also reproduce it in 5.0.45 and 7.0.6+dfsg-1.
@@ -147518,6 +147528,7 @@ CVE-2024-43784 (lakeFS is an open-source tool that transforms object storage int
CVE-2024-36467 (An authenticated user with API access (e.g.: user with default User ro ...)
{DLA-3909-1}
- zabbix 1:7.0.2+dfsg-1 (bug #1088689)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25614
NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/dabb5dd27aa979657a5bd6077716ce60951e1552 (7.0.2rc1)
NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/cf14d079941a3161dedfc85b9f5c474ed2208c0b (7.0.2rc1)
@@ -147674,6 +147685,7 @@ CVE-2024-38830 (VMware Aria Operations contains a local privilege escalation vul
CVE-2024-36463 (The implementation of atob in "Zabbix JS" allows to create a string wi ...)
{DLA-3909-1}
- zabbix 1:7.0.3+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25611
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/223a21567b659366396781429a8d87009600784a (7.0.3rc1)
NOTE: Fixed by (merge commit): https://github.com/zabbix/zabbix/commit/b88db679a85bcc22d2f270bf0bf736f4649b445c (7.0.3rc1)
@@ -254414,7 +254426,7 @@ CVE-2023-32722 (The zabbix/src/libs/zbxjson module is vulnerable to a buffer ove
CVE-2023-32721 (A stored XSS has been found in the Zabbix web application in the Maps ...)
{DLA-3909-1 DLA-3717-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1053877)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-23389
NOTE: possible upstream fix (4.0.x) https://github.com/zabbix/zabbix/commit/d05854bc0e638bbc0c2077ded09797648dba0911
CVE-2023-5535 (Use After Free in GitHub repository vim/vim prior to v9.0.2010.)
@@ -280739,7 +280751,7 @@ CVE-2023-29459 (The laola.redbull application through 5.1.9-R for Android expose
CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a focus on ...)
{DLA-3909-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
NOTE: This appears to be bug in Zabbix's use of duktape, not an issue in src:duktape per se
NOTE: https://support.zabbix.com/browse/ZBX-22989
@@ -280747,7 +280759,7 @@ CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a foc
CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is reflected off ...)
{DLA-3909-1 DLA-3538-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-22988
CVE-2023-29456 (URL validation scheme receives input from a user and then parses it to ...)
{DLA-3909-1 DLA-3538-1}
@@ -280757,12 +280769,12 @@ CVE-2023-29456 (URL validation scheme receives input from a user and then parses
CVE-2023-29455 (Reflected XSS attacks, also known as non-persistent attacks, occur whe ...)
{DLA-3909-1 DLA-3538-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-22986
CVE-2023-29454 (Stored or persistent cross-site scripting (XSS) is a type of XSS where ...)
{DLA-3909-1 DLA-3538-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-22985
CVE-2023-29453 (Templates do not properly consider backticks (`) as Javascript string ...)
- zabbix 1:6.0.23+dfsg-1 (unimportant)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46935a17e401f8c0383beb9098b6683b55363415
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46935a17e401f8c0383beb9098b6683b55363415
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260206/41d1cc1a/attachment.htm>
More information about the debian-security-tracker-commits
mailing list