CVE-2024-36467 — Improper Authorization in Zabbix

CWE-285 — Improper Authorization5 documents5 sources

Severity

8.8HIGHNVD

CNA7.5

EPSS

0.3%

top 44.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix

Timeline

PublishedNov 27

Description

An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDzabbix/zabbix5.0.0 — 5.0.43+3

▶Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix5.0.0 — 5.0.42+3

🔴Vulnerability Details

OSV

CVE-2024-36467: An authenticated user with API access (e↗2024-11-27

▶

GHSA

GHSA-xwvj-c6cj-6xgw: An authenticated user with API access (e↗2024-11-27

▶

CVEList

Authentication privilege escalation via user groups due to missing authorization checks↗2024-11-27

▶

📋Vendor Advisories

Debian

CVE-2024-36467: zabbix - An authenticated user with API access (e.g.: user with default User role), more ...↗2024

▶