CVE-2024-36464 — Plaintext Storage of a Password in Zabbix

CWE-256 — Plaintext Storage of a Password5 documents5 sources

Severity

2.7LOWNVD

EPSS

0.1%

top 79.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix

Timeline

PublishedNov 27

Description

When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages3 packages

▶NVDzabbix/zabbix6.0.0 — 6.0.30+1

▶Debianzabbix/zabbix< 1:5.0.45+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix6.0.0 — 6.0.29+2

🔴Vulnerability Details

OSV

CVE-2024-36464: When exporting media types, the password is exported in the YAML in plain text↗2024-11-27

▶

GHSA

GHSA-rj72-j8c2-fwx3: When exporting media types, the password is exported in the YAML in plain text↗2024-11-27

▶

CVEList

Media Types: Office365, SMTP passwords are unencrypted and visible in plaintext when exported↗2024-11-27

▶

📋Vendor Advisories

Debian

CVE-2024-36464: zabbix - When exporting media types, the password is exported in the YAML in plain text. ...↗2024

▶