CVE-2024-42325 — Exposure of Private Personal Information to an Unauthorized Actor in Zabbix

CWE-359 — Exposure of Private Personal Information to an Unauthorized Actor4 documents4 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 71.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix

Timeline

PublishedApr 2

Description

Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDzabbix/zabbix5.0.0 — 5.0.46+3

▶debiandebian/zabbix< zabbix 1:5.0.46+dfsg-1+deb11u1 (bullseye)

▶Debianzabbix/zabbix< 1:5.0.46+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix5.0.0 — 5.0.45+3

🔴Vulnerability Details

GHSA

GHSA-pphq-xpjc-vgqx: Zabbix API user↗2025-04-02

▶

OSV

CVE-2024-42325: Zabbix API user↗2025-04-02

▶

📋Vendor Advisories

Debian

CVE-2024-42325: zabbix - Zabbix API user.get returns all users that share common group with the calling u...↗2024

▶