Debian Bug report logs -
#1055175
zabbix: CVE-2023-29449 CVE-2023-29450 CVE-2023-29451 CVE-2023-29452 CVE-2023-29453 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#1055175; Package src:zabbix.
(Wed, 01 Nov 2023 19:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>.
(Wed, 01 Nov 2023 19:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zabbix
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for zabbix.
CVE-2023-29449[0]:
| JavaScript preprocessing, webhooks and global scripts can cause
| uncontrolled CPU, memory, and disk I/O utilization.
| Preprocessing/webhook/global script configuration and testing are
| only available to Administrative roles (Admin and Superadmin).
| Administrative privileges should be typically granted to users who
| need to perform tasks that require more control over the system. The
| security risk is limited because not all users have this level of
| access.
https://support.zabbix.com/browse/ZBX-22589
Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62
applied in upstream release/5.0 branch: https://github.com/zabbix/zabbix/commit/c21cf2fa656b75733e3abc09d8f20690735b3f22
vulnerable module introduced in https://github.com/zabbix/zabbix/commit/18d2abfc40 (5.0.0alpha1)
CVE-2023-29450[1]:
| JavaScript pre-processing can be used by the attacker to gain access
| to the file system (read-only access on behalf of user "zabbix") on
| the Zabbix Server or Zabbix Proxy, potentially leading to
| unauthorized access to sensitive data.
https://support.zabbix.com/browse/ZBX-22588
Patch for 5.0.32rc1: https://github.com/zabbix/zabbix/commit/c3f1543e4
Patch for 6.0.14rc2: https://github.com/zabbix/zabbix/commit/76f6a80cb
CVE-2023-29451[2]:
| Specially crafted string can cause a buffer overrun in the JSON
| parser library leading to a crash of the Zabbix Server or a Zabbix
| Proxy.
https://support.zabbix.com/browse/ZBX-22587
CVE-2023-29452[3]:
| Currently, geomap configuration (Administration -> General ->
| Geographical maps) allows using HTML in the field “Attribution text”
| when selected “Other” Tile provider.
https://support.zabbix.com/browse/ZBX-22981
Patches links: https://support.zabbix.com/browse/ZBX-22720
vulnerable geopmap widget introduced in version with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 (6.0.0alpha6)
CVE-2023-29453[4]:
| Templates do not properly consider backticks (`) as Javascript
| string delimiters, and do not escape them as expected. Backticks are
| used, since ES6, for JS template literals. If a template contains a
| Go template action within a Javascript template literal, the
| contents of the action can be used to terminate the literal,
| injecting arbitrary Javascript code into the Go template. As ES6
| template literals are rather complex, and themselves can do string
| interpolation, the decision was made to simply disallow Go template
| actions from being used inside of them (e.g., "var a = {{.}}"),
| since there is no obviously safe way to allow this behavior. This
| takes the same approach as github.com/google/safehtml. With fix,
| Template. Parse returns an Error when it encounters templates like
| this, with an ErrorCode of value 12. This ErrorCode is currently
| unexported but will be exported in the release of Go 1.21. Users who
| rely on the previous behavior can re-enable it using the GODEBUG
| flag jstmpllitinterp=1, with the caveat that backticks will now be
| escaped. This should be used with caution.
https://support.zabbix.com/browse/ZBX-23388
CVE-2023-29454[5]:
| Stored or persistent cross-site scripting (XSS) is a type of XSS
| where the attacker first sends the payload to the web application,
| then the application saves the payload (e.g., in a database or
| server-side text files), and finally, the application
| unintentionally executes the payload for every victim visiting its
| web pages.
https://support.zabbix.com/browse/ZBX-22985
CVE-2023-29455[6]:
| Reflected XSS attacks, also known as non-persistent attacks, occur
| when a malicious script is reflected off a web application to the
| victim's browser. The script is activated through a link, which
| sends a request to a website with a vulnerability that enables
| execution of malicious scripts.
https://support.zabbix.com/browse/ZBX-22986
CVE-2023-29456[7]:
| URL validation scheme receives input from a user and then parses it
| to identify its various components. The validation scheme can ensure
| that all URL components comply with internet standards.
https://support.zabbix.com/browse/ZBX-22987
CVE-2023-29457[8]:
| Reflected XSS attacks, occur when a malicious script is reflected
| off a web application to the victim's browser. The script can be
| activated through Action form fields, which can be sent as request
| to a website with a vulnerability that enables execution of
| malicious scripts.
https://support.zabbix.com/browse/ZBX-22988
CVE-2023-29458[9]:
| Duktape is an 3rd-party embeddable JavaScript engine, with a focus
| on portability and compact footprint. When adding too many values in
| valstack JavaScript will crash. This issue occurs due to bug in
| Duktape 2.6 which is an 3rd-party solution that we use.
This appears to be bug in Zabbix's use of duktape, not an issue in src:duktape per se
https://support.zabbix.com/browse/ZBX-22989
duktape library introduced with https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2 (5.0.0alpha1)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-29449
https://www.cve.org/CVERecord?id=CVE-2023-29449
[1] https://security-tracker.debian.org/tracker/CVE-2023-29450
https://www.cve.org/CVERecord?id=CVE-2023-29450
[2] https://security-tracker.debian.org/tracker/CVE-2023-29451
https://www.cve.org/CVERecord?id=CVE-2023-29451
[3] https://security-tracker.debian.org/tracker/CVE-2023-29452
https://www.cve.org/CVERecord?id=CVE-2023-29452
[4] https://security-tracker.debian.org/tracker/CVE-2023-29453
https://www.cve.org/CVERecord?id=CVE-2023-29453
[5] https://security-tracker.debian.org/tracker/CVE-2023-29454
https://www.cve.org/CVERecord?id=CVE-2023-29454
[6] https://security-tracker.debian.org/tracker/CVE-2023-29455
https://www.cve.org/CVERecord?id=CVE-2023-29455
[7] https://security-tracker.debian.org/tracker/CVE-2023-29456
https://www.cve.org/CVERecord?id=CVE-2023-29456
[8] https://security-tracker.debian.org/tracker/CVE-2023-29457
https://www.cve.org/CVERecord?id=CVE-2023-29457
[9] https://security-tracker.debian.org/tracker/CVE-2023-29458
https://www.cve.org/CVERecord?id=CVE-2023-29458
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 01 Nov 2023 19:45:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Nov 2 17:55:14 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon