CVE-2023-29458

Name of the Vulnerable Software and Affected Versions Zabbix versions (affected versions not specified) Duktape version 2.6

Description The issue is related to an unverified array indexing in the Duktape component of the Zabbix monitoring system. This can lead to a denial of service when exploited by a remote attacker. The problem occurs due to a bug in Duktape 2.6, which is a third-party embeddable JavaScript engine used for its portability and compact footprint. When too many values are added to the valstack in JavaScript, it will crash.

Recommendations For Duktape version 2.6, consider disabling the use of the valstack in JavaScript until a patch is available. As a temporary workaround, restrict the number of values that can be added to the valstack to prevent JavaScript from crashing. At the moment, there is no information about a newer version that contains a fix for this vulnerability.