CVE-2024-22114 — Improper Preservation of Permissions in Zabbix

CWE-281 — Improper Preservation of Permissions5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 60.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix

Timeline

PublishedAug 12

Description

User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/zabbix< zabbix 1:5.0.44+dfsg-1+deb11u1 (bullseye)

▶Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix5,0,0 — 5.0.42+3

▶NVDzabbix/zabbix5.0.0 — 5.0.42+3

🔴Vulnerability Details

GHSA

GHSA-p859-wc97-3523: User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboa↗2024-08-12

▶

OSV

CVE-2024-22114: User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboa↗2024-08-12

▶

CVEList

System Information Widget in Global View Dashboard exposes information about Hosts to Users without Permission↗2024-08-09

▶

📋Vendor Advisories

Debian

CVE-2024-22114: zabbix - User with no permission to any of the Hosts can access and view host count & oth...↗2024

▶