CVE-2023-29449

NameCVE-2023-29449
DescriptionJavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3909-1
Debian Bugs1055175

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)jessie, jessie (lts)1:2.2.23+dfsg-0+deb8u9fixed
stretch (security)1:3.0.32+dfsg-0+deb9u3fixed
stretch (lts), stretch1:3.0.32+dfsg-0+deb9u8fixed
buster (security), buster, buster (lts)1:4.0.4+dfsg-1+deb10u5fixed
bullseye1:5.0.8+dfsg-1vulnerable
bullseye (security)1:5.0.45+dfsg-1+deb11u1fixed
bookworm1:6.0.14+dfsg-1vulnerable
sid, trixie1:7.0.6+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsourcejessie(not affected)
zabbixsourcestretch(not affected)
zabbixsourcebuster(not affected)
zabbixsourcebullseye1:5.0.44+dfsg-1+deb11u1DLA-3909-1
zabbixsource(unstable)1:6.0.23+dfsg-11055175

Notes

[bookworm] - zabbix <no-dsa> (Minor issue)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
https://support.zabbix.com/browse/ZBX-22589
Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62
applied in upstream release/5.0 branch: https://github.com/zabbix/zabbix/commit/c21cf2fa656b75733e3abc09d8f20690735b3f22
vulnerable module introduced in https://github.com/zabbix/zabbix/commit/18d2abfc40 (5.0.0alpha1)
[stretch] - zabbix <not-affected> (vulnerable code introduced later)
[jessie] - zabbix <not-affected> (vulnerable code introduced later)

Search for package or bug name: Reporting problems