CVE-2024-42327

Name of the Vulnerable Software and Affected Versions: Zabbix versions 6.0.0 through 6.0.31 Zabbix versions 6.4.0 through 6.4.16 Zabbix version 7.0.0

Description: A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access, can exploit this vulnerability. An SQL injection exists in the CUser class in the addRelatedObjects function, which is called from the CUser.get function. This function is available for every user who has API access. The vulnerability allows attackers to escalate privileges and gain full control of the system by sending a specially crafted SQL query through the API. Over 143,000 services are potentially affected.

Recommendations: For Zabbix versions 6.0.0 through 6.0.31, update to version 6.0.32rc1 or later. For Zabbix versions 6.4.0 through 6.4.16, update to version 6.4.17rc1 or later. For Zabbix version 7.0.0, update to version 7.0.1rc1 or later. As a temporary workaround, consider restricting access to the CUser.get function and the addRelatedObjects function until a patch is available. Avoid using the API endpoint that calls these functions until the issue is resolved.