PT-2023-9377 · Zabbix+4 · Zabbix+4
Maris Melnikovs
+1
·
Published
2023-06-16
·
Updated
2024-10-03
·
CVE-2023-29458
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Zabbix versions (affected versions not specified)
Duktape version 2.6
Description
The issue is related to an unverified array indexing in the Duktape component of the Zabbix monitoring system. This can lead to a denial of service when exploited by a remote attacker. The problem occurs due to a bug in Duktape 2.6, which is a third-party embeddable JavaScript engine used for its portability and compact footprint. When too many values are added to the valstack in JavaScript, it will crash.
Recommendations
For Duktape version 2.6, consider disabling the use of the valstack in JavaScript until a patch is available.
As a temporary workaround, restrict the number of values that can be added to the valstack to prevent JavaScript from crashing.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Improper Validation of Array Index
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Debian
Duktape
Zabbix