CVE-2024-42327

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-42327
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42327.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-42327
Downstream
Published
2024-11-27T12:15:20.640Z
Modified
2025-11-20T12:30:02.553947Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

References

Affected packages

Git / github.com/zabbix/zabbix

Affected ranges

Type
GIT
Repo
https://github.com/zabbix/zabbix
Events
Introduced
5203d2ea7d901cd33d148f20586e2155901a7faa
Fixed
e0ebc610bbe07feec683b36b33b0c7c54d4dfa51

Affected versions

6.*

6.0.0
6.0.1
6.0.10
6.0.10rc1
6.0.10rc2
6.0.11
6.0.11rc1
6.0.11rc2
6.0.12
6.0.12rc1
6.0.12rc2
6.0.13
6.0.13rc1
6.0.14
6.0.14rc1
6.0.14rc2
6.0.15
6.0.15rc1
6.0.15rc2
6.0.16
6.0.16rc1
6.0.17
6.0.17rc1
6.0.17rc2
6.0.18
6.0.18rc1
6.0.19
6.0.19rc1
6.0.1rc1
6.0.1rc2
6.0.1rc3
6.0.1rc4
6.0.2
6.0.20
6.0.20rc1
6.0.21
6.0.21rc1
6.0.22
6.0.22rc1
6.0.23
6.0.23rc1
6.0.25
6.0.25rc1
6.0.26
6.0.26rc1
6.0.27
6.0.27rc1
6.0.28
6.0.28rc1
6.0.29
6.0.29rc1
6.0.2rc1
6.0.3
6.0.30
6.0.30rc1
6.0.31
6.0.31rc1
6.0.32rc1
6.0.3rc1
6.0.4
6.0.4rc1
6.0.5
6.0.5rc1
6.0.6
6.0.6rc1
6.0.7
6.0.7rc1
6.0.8
6.0.8rc1
6.0.8rc2
6.0.9
6.0.9rc1
6.0.9rc2

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "268532432675997961382533109683550991275",
                "77468328968705158713064176216215297941",
                "242617437909076284338012963993674069245",
                "53988357087650554977707365843443920215",
                "128232534528403919384584568266563623737",
                "8192478687897789813459981120771879298"
            ]
        },
        "id": "CVE-2024-42327-304bfe13",
        "target": {
            "file": "src/zabbix_java/src/com/zabbix/gateway/GeneralInformation.java"
        },
        "source": "https://github.com/zabbix/zabbix/commit/e0ebc610bbe07feec683b36b33b0c7c54d4dfa51",
        "signature_type": "Line"
    }
]