[Git][security-tracker-team/security-tracker][master] zabbix triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Feb 6 15:31:51 GMT 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
5cdaf149 by Moritz Muehlenhoff at 2026-02-06T16:31:29+01:00
zabbix triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -147695,6 +147695,7 @@ CVE-2024-32965 (Lobe Chat is an open-source, AI chat framework. Versions of lobe
CVE-2024-22117 (When a URL is added to the map element, it is recorded in the database ...)
{DLA-3909-1}
- zabbix 1:7.0.5+dfsg-1
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-25610
NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/bcf43da8eaaafc03e53845085f5b87d8c858ac81 (7.0.4rc1)
NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/73d694022cd8e3468d1fdb1dc672e8d0eb9a2fc3 (6.0.34rc1)
@@ -176997,12 +176998,14 @@ CVE-2024-36462 (Uncontrolled resource consumption refers to a software vulnerabi
CVE-2024-36461 (Within Zabbix, users have the ability to directly modify memory pointe ...)
{DLA-3909-1}
- zabbix 1:7.0.1+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25018
NOTE: fix: https://github.com/zabbix/zabbix/commit/9aa4ab73c76a2395769ac1ec88a453a3066f0e79 (7.0.1rc1)
NOTE: fix: https://github.com/zabbix/zabbix/commit/b370b845cc4683896e65a93fe81f1204ccf62ba5 (6.0.31rc1)
CVE-2024-36460 (The front-end audit log allows viewing of unprotected plaintext passwo ...)
{DLA-3909-1}
- zabbix 1:7.0.1+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25017
NOTE: https://github.com/zabbix/zabbix/commit/37028d9ca96ceb39a13ae32f76e6aaa662bc80ea (7.0.1rc1)
NOTE: https://github.com/zabbix/zabbix/commit/b5361b6481fb2d4dd1e8d87f214bf8ed07c1d247 (7.0.1rc1)
@@ -177014,6 +177017,7 @@ CVE-2024-32765 (A vulnerability has been reported to affect Network & Virtual Sw
CVE-2024-22123 (Setting SMS media allows to set GSM modem file. Later this file is use ...)
{DLA-3909-1}
- zabbix 1:7.0.0+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-25013
NOTE: https://github.com/zabbix/zabbix/commit/499ac935f60b38992488ff895c06da8bd80d95cc (7.0.x)
NOTE: https://github.com/zabbix/zabbix/commit/eb64b83355dae7286821c5237f7ab83038c22367 (6.0.x)
@@ -177021,6 +177025,7 @@ CVE-2024-22123 (Setting SMS media allows to set GSM modem file. Later this file
CVE-2024-22122 (Zabbix allows to configure SMS notifications. AT command injection occ ...)
{DLA-3909-1}
- zabbix 1:7.0.0+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-25012
NOTE: https://github.com/zabbix/zabbix/commit/9923c7dea89e19318621788df07dc7572a2528be (7.0.0rc3)
NOTE: https://github.com/zabbix/zabbix/commit/2cd64d3522fe974f21487ce1606d65e10eea7bae (6.0.31rc1)
@@ -177031,6 +177036,7 @@ CVE-2024-22121 (A non-admin user can change or remove important features within
CVE-2024-22116 (An administrator with restricted permissions can exploit the script ex ...)
{DLA-3909-1}
- zabbix 1:7.0.0+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25016
NOTE: https://github.com/zabbix/zabbix/commit/afb3ab931d59af61e4f974634b85bcbed5a042b2 (7.0.0rc3)
NOTE: https://github.com/zabbix/zabbix/commit/679e18f172fc1f9a78b19789fbbc52246871ff19 (7.0.1rc1)
@@ -177040,6 +177046,7 @@ CVE-2024-22116 (An administrator with restricted permissions can exploit the scr
CVE-2024-22114 (User with no permission to any of the Hosts can access and view host c ...)
{DLA-3909-1}
- zabbix 1:7.0.0+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25015
NOTE: https://github.com/zabbix/zabbix/commit/44687a7aa09787db0939cc8bc6ae3178638fc1cf (7.0.0rc3)
NOTE: https://github.com/zabbix/zabbix/commit/2c52375e51349a63af7d4620d83077f103dadf91 (6.0.31rc1)
@@ -201579,6 +201586,7 @@ CVE-2024-22139 (Authentication Bypass by Spoofing vulnerability in Filipe Seabra
NOT-FOR-US: WordPress plugin
CVE-2024-22120 (Zabbix server can perform command execution for configured scripts. Af ...)
- zabbix 1:6.0.29+dfsg-1 (bug #1072120)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[bullseye] - zabbix <not-affected> (Vulnerable code introduced later)
[buster] - zabbix <not-affected> (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-24505
@@ -232120,6 +232128,7 @@ CVE-2024-23319 (Mattermost Jira Plugin fails to protect against logout CSRF allo
CVE-2024-22119 (The cause of vulnerability is improper validation of form input field ...)
{DLA-3909-1 DLA-3798-1}
- zabbix 1:6.0.24+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-24070
NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/d5b73ddafc2b91376c0d74027b5f727cea6f9c29 (4.0.0alpha1)
NOTE: Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aec9ebf575e6c62b5397f267ae5353b121a91262 (6.0.24rc1)
@@ -242328,6 +242337,7 @@ CVE-2023-33214 (Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Tagbox
NOT-FOR-US: WordPress plugin
CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its param ...)
- zabbix 1:6.0.24+dfsg-1
+ [bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <not-affected> (Vulnerable code introduced later)
[buster] - zabbix <not-affected> (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23858
@@ -242343,6 +242353,7 @@ CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its
CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can use fu ...)
{DLA-3909-1}
- zabbix 1:6.0.23+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[buster] - zabbix <not-affected> (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23857
NOTE: https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 (6.0.23rc1)
@@ -242351,10 +242362,12 @@ CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can
CVE-2023-32726 (The vulnerability is caused by improper check for check if RDLENGTH do ...)
{DLA-3909-1 DLA-3717-1}
- zabbix 1:6.0.24+dfsg-1
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-23855
NOTE: https://github.com/zabbix/zabbix/commit/53ef2b7119f57f4140e6bd9c5cd2d3c6af228179 (6.0.24rc1)
CVE-2023-32725 (The website configured in the URL widget will receive a session cookie ...)
- zabbix 1:6.0.23+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[bullseye] - zabbix <not-affected> (Vulnerable code not present)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23854
@@ -254400,6 +254413,7 @@ CVE-2023-3781 (there is a possible use-after-free write due to improper locking.
CVE-2023-32724 (Memory pointer is in a property of the Ducktape object. This leads to ...)
{DLA-3909-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1053877)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23391
NOTE: https://github.com/zabbix/zabbix/commit/7266d0ac709b68ccb4d69d28253488670b8b4eb7 (release/5.0)
@@ -280763,7 +280777,7 @@ CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is reflecte
CVE-2023-29456 (URL validation scheme receives input from a user and then parses it to ...)
{DLA-3909-1 DLA-3538-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-22987
CVE-2023-29455 (Reflected XSS attacks, also known as non-persistent attacks, occur whe ...)
{DLA-3909-1 DLA-3538-1}
@@ -280781,7 +280795,7 @@ CVE-2023-29453 (Templates do not properly consider backticks (`) as Javascript s
NOTE: Zabbix in bullseye does not build the GO Agent2.
CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Geograph ...)
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[bullseye] - zabbix <not-affected> (vulnerable code introduced later)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-22981
@@ -280796,14 +280810,14 @@ CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON
CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain access t ...)
{DLA-3909-1 DLA-3538-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-22588
NOTE: Patch for 5.0.32rc1: https://github.com/zabbix/zabbix/commit/c3f1543e4
NOTE: Patch for 6.0.14rc2: https://github.com/zabbix/zabbix/commit/76f6a80cb
CVE-2023-29449 (JavaScript preprocessing, webhooks and global scripts can cause uncont ...)
{DLA-3909-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-22589
NOTE: Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62
=====================================
data/dsa-needed.txt
=====================================
@@ -87,5 +87,3 @@ wireshark (jmm)
--
xrdp (carnil)
---
-zabbix/oldstable
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cdaf14974ff4e1e7353e2898412680848d308b1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cdaf14974ff4e1e7353e2898412680848d308b1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260206/3c8b8d5b/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list