CVE-2024-42327

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-42327
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42327.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-42327
Downstream
Published
2024-11-27T12:15:20.640Z
Modified
2026-02-05T12:43:31.851572Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

References

Affected packages

Git / github.com/zabbix/zabbix

Affected ranges

Type
GIT
Repo
https://github.com/zabbix/zabbix
Events
Introduced
49955f1fb5c9168a8a24b053f7ade6b3d903143c
Fixed
0543fbe4af6b9833aba9005540c1544272499225
Introduced
5203d2ea7d901cd33d148f20586e2155901a7faa
Fixed
e0ebc610bbe07feec683b36b33b0c7c54d4dfa51

Affected versions

6.*
6.0.0
6.0.1
6.0.10
6.0.10rc1
6.0.10rc2
6.0.11
6.0.11rc1
6.0.11rc2
6.0.12
6.0.12rc1
6.0.12rc2
6.0.13
6.0.13rc1
6.0.14
6.0.14rc1
6.0.14rc2
6.0.15
6.0.15rc1
6.0.15rc2
6.0.16
6.0.16rc1
6.0.17
6.0.17rc1
6.0.17rc2
6.0.18
6.0.18rc1
6.0.19
6.0.19rc1
6.0.1rc1
6.0.1rc2
6.0.1rc3
6.0.1rc4
6.0.2
6.0.20
6.0.20rc1
6.0.21
6.0.21rc1
6.0.22
6.0.22rc1
6.0.23
6.0.23rc1
6.0.25
6.0.25rc1
6.0.26
6.0.26rc1
6.0.27
6.0.27rc1
6.0.28
6.0.28rc1
6.0.29
6.0.29rc1
6.0.2rc1
6.0.3
6.0.30
6.0.30rc1
6.0.31
6.0.31rc1
6.0.32rc1
6.0.3rc1
6.0.4
6.0.4rc1
6.0.5
6.0.5rc1
6.0.6
6.0.6rc1
6.0.7
6.0.7rc1
6.0.8
6.0.8rc1
6.0.8rc2
6.0.9
6.0.9rc1
6.0.9rc2
7.*
7.0.0
7.0.1rc1
7.0.1rc2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42327.json"
vanir_signatures 
[
    {
        "id": "CVE-2024-42327-304bfe13",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "268532432675997961382533109683550991275",
                "77468328968705158713064176216215297941",
                "242617437909076284338012963993674069245",
                "53988357087650554977707365843443920215",
                "128232534528403919384584568266563623737",
                "8192478687897789813459981120771879298"
            ]
        },
        "signature_type": "Line",
        "target": {
            "file": "src/zabbix_java/src/com/zabbix/gateway/GeneralInformation.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/zabbix/zabbix/commit/e0ebc610bbe07feec683b36b33b0c7c54d4dfa51",
        "deprecated": false
    },
    {
        "id": "CVE-2024-42327-e2a91b12",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "43636950122256154266010777110842379173",
                "150345703210521586960191098792874252545",
                "145617903543086714152812391346310142386",
                "187012436310723479239082560666125826862",
                "149341614607942162121466632515421063223",
                "216393015426645457264218364948720538146"
            ]
        },
        "signature_type": "Line",
        "target": {
            "file": "src/zabbix_java/src/com/zabbix/gateway/GeneralInformation.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/zabbix/zabbix/commit/0543fbe4af6b9833aba9005540c1544272499225",
        "deprecated": false
    }
]