CVE-2023-29449

Name	CVE-2023-29449
Description	JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1055175

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
zabbix (PTS)	jessie, jessie (lts)	1:2.2.23+dfsg-0+deb8u7	fixed
	stretch (security)	1:3.0.32+dfsg-0+deb9u3	fixed
	stretch (lts), stretch	1:3.0.32+dfsg-0+deb9u6	fixed
	buster	1:4.0.4+dfsg-1	fixed
	buster (security)	1:4.0.4+dfsg-1+deb10u4	fixed
	bullseye	1:5.0.8+dfsg-1	vulnerable
	bookworm	1:6.0.14+dfsg-1	vulnerable
	sid	1:6.0.29+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
zabbix	source	jessie	(not affected)
zabbix	source	stretch	(not affected)
zabbix	source	buster	(not affected)
zabbix	source	(unstable)	1:6.0.23+dfsg-1	1055175

Notes

[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <no-dsa> (Minor issue)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
https://support.zabbix.com/browse/ZBX-22589
Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62
applied in upstream release/5.0 branch: https://github.com/zabbix/zabbix/commit/c21cf2fa656b75733e3abc09d8f20690735b3f22
vulnerable module introduced in https://github.com/zabbix/zabbix/commit/18d2abfc40 (5.0.0alpha1)
[stretch] - zabbix <not-affected> (vulnerable code introduced later)
[jessie] - zabbix <not-affected> (vulnerable code introduced later)