Zabbix patches critical SQL injection flaw, urges fast upgrades
Take action: If you are using Zabbix software, plan for a quick patch. Mitigating measures are isolating the system to trusted networks, but it's a short term solution. Some of the users that use Zabbix will be phished, or their device will be compromised. And next thing is Zabbix. So patch the flaw.
Learn More
Open-source enterprise network and application monitoring provider Zabbix is warning customers of a critical vulnerability.
Tracked as CVE-2024-42327 (CVSS score 9.9) is an SQL injection vulnerability affects Zabbix's user.get API functionality. The vulnerability exists in the CUser class within the addRelatedObjects function, which is called by the CUser.get function.
The vulnerability can be exploited through the API interface, requiring only basic user-level access with API permissions. Any user with API access, including accounts with default User role permissions, can exploit this vulnerability for privilege escalation.
Affected Versions:
- Zabbix 6.0.0 through 6.0.31
- Zabbix 6.4.0 through 6.4.16
- Zabbix 7.0.0
Patched Versions:
- Zabbix 6.0.32rc1
- Zabbix 6.4.17rc1
- Zabbix 7.0.1rc1
The number of affected systems and any successful exploitations in the wild have not been disclosed. However, given Zabbix's large customer base including major enterprises like Dell, the European Space Agency, and Vodacom, the potential impact is significant.
