CVE-2024-22117 — Improper Input Validation in Zabbix

CWE-20 — Improper Input Validation5 documents5 sources

Severity

2.2LOWNVD

EPSS

0.1%

top 82.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix

Timeline

PublishedNov 26

Description

When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 0.7 | Impact: 1.4

Affected Packages3 packages

▶NVDzabbix/zabbix5.0.0 — 5.0.44+3

▶Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix5,0,0 — 5.0.43+3

🔴Vulnerability Details

GHSA

GHSA-vmrp-q2j9-gmqr: When a URL is added to the map element, it is recorded in the database with sequential IDs↗2024-11-26

▶

OSV

CVE-2024-22117: When a URL is added to the map element, it is recorded in the database with sequential IDs↗2024-11-26

▶

CVEList

Value of sysmap_element_url can be de-synchronized causing the map element to crash when new URLs is added↗2024-11-26

▶

📋Vendor Advisories

Debian

CVE-2024-22117: zabbix - When a URL is added to the map element, it is recorded in the database with sequ...↗2024

▶