CVE-2024-36464

NameCVE-2024-36464
DescriptionWhen exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3984-1, ELA-1273-1
Debian Bugs1090030

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)jessie, jessie (lts)1:2.2.23+dfsg-0+deb8u9fixed
stretch (security)1:3.0.32+dfsg-0+deb9u3vulnerable
stretch (lts), stretch1:3.0.32+dfsg-0+deb9u8fixed
buster (security), buster, buster (lts)1:4.0.4+dfsg-1+deb10u5vulnerable
bullseye1:5.0.8+dfsg-1vulnerable
bullseye (security)1:5.0.45+dfsg-1+deb11u1fixed
bookworm1:6.0.14+dfsg-1vulnerable
sid, trixie1:7.0.6+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsourcejessie1:2.2.23+dfsg-0+deb8u9ELA-1273-1
zabbixsourcestretch1:3.0.32+dfsg-0+deb9u8ELA-1273-1
zabbixsourcebuster(unfixed)end-of-life
zabbixsourcebullseye1:5.0.45+dfsg-1+deb11u1DLA-3984-1
zabbixsource(unstable)(unfixed)1090030

Notes

https://support.zabbix.com/browse/ZBX-25630
Despite upstream claiming fixed in 6.0.30rc1, can reproduce with 6.0.36 (package from upstream)
Can also reproduce it in 5.0.45 and 7.0.6+dfsg-1.
Search for package or bug name: Reporting problems