CVE-2024-22117

NameCVE-2024-22117
DescriptionWhen a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3909-1, ELA-1273-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)jessie, jessie (lts)1:2.2.23+dfsg-0+deb8u9fixed
stretch (security)1:3.0.32+dfsg-0+deb9u3vulnerable
stretch (lts), stretch1:3.0.32+dfsg-0+deb9u8fixed
buster (security), buster, buster (lts)1:4.0.4+dfsg-1+deb10u5vulnerable
bullseye1:5.0.8+dfsg-1vulnerable
bullseye (security)1:5.0.45+dfsg-1+deb11u1fixed
bookworm1:6.0.14+dfsg-1vulnerable
sid, trixie1:7.0.6+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsourcejessie1:2.2.23+dfsg-0+deb8u9ELA-1273-1
zabbixsourcestretch1:3.0.32+dfsg-0+deb9u8ELA-1273-1
zabbixsourcebuster(unfixed)end-of-life
zabbixsourcebullseye1:5.0.44+dfsg-1+deb11u1DLA-3909-1
zabbixsource(unstable)1:7.0.5+dfsg-1

Notes

https://support.zabbix.com/browse/ZBX-25610
Fixed by: https://github.com/zabbix/zabbix/commit/bcf43da8eaaafc03e53845085f5b87d8c858ac81 (7.0.4rc1)
Fixed by: https://github.com/zabbix/zabbix/commit/73d694022cd8e3468d1fdb1dc672e8d0eb9a2fc3 (6.0.34rc1)
fixed by: https://github.com/zabbix/zabbix/commit/c9810cd2dfe65922ec5e84f06c0b44d38262fbe5 (5.0.44rc1)

Search for package or bug name: Reporting problems