CVE-2024-36463 — Access to Critical Private Variable via Public Method in Zabbix

CWE-767 — Access to Critical Private Variable via Public Method4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 40.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix

Timeline

PublishedNov 26

Description

The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDzabbix/zabbix5.0.0 — 5.0.43+3

▶debiandebian/zabbix< zabbix 1:5.0.44+dfsg-1+deb11u1 (bullseye)

▶Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix5.0.0 — 5.0.42+3

🔴Vulnerability Details

GHSA

GHSA-8vxw-wxwq-hg38: The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects↗2024-11-26

▶

OSV

CVE-2024-36463: The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects↗2024-11-26

▶

📋Vendor Advisories

Debian

CVE-2024-36463: zabbix - The implementation of atob in "Zabbix JS" allows to create a string with arbitra...↗2024

▶