Zabbix CVE-2024-36461 Critical Vulnerability: Direct Memory Pointer Modification in JS Engine

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID: ZBX-25018 2. Vulnerability Name: Direct access to memory pointers within the JS modification (CVE-2024-36461) 3. Vulnerability Type: Defect (Security) 4. Priority: Critical 5. Affected Versions: - 6.0.30 - 6.4.15 - 7.0.0 6. Component: Server (S) 7. Vulnerability Description: - CVE-2024-36461 - CVSS score: 9.1 - CVSS vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N - Severity: Critical - Summary: Direct access to memory pointers within the JS engine for modification - Description: Within Zabbix, users could directly modify memory pointers in the JavaScript engine. 8. Vulnerability Classification: - Common Weakness Enumeration (CWE): CWE-822 Untrusted Pointer Dereference - Common Attack Pattern Enumeration and Classification (CAPEC): CAPEC-253 Remote Code Inclusion 9. Known Attack Vectors: - This vulnerability allows users with access to a single item configuration (the entire infrastructure of the monitoring solution) via remote code execution. 10. Vulnerability Details: - The following report is a continuation of the previous finding (2088108): https://nvd.nist.gov/vuln/detail/CVE-2023-32724 - JS engine memory pointers are directly accessible to Zabbix users for modification, located in a property of the ducktape object (https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/src/libs/zbxengine.js). 11. Patch Provided: No 12. Affected and Fixed Versions: - 6.0.0 - 6.0.30 / 6.0.31rc1 - 6.4.0 - 6.4.15 / 6.4.16rc1 - 7.0.0alpha1 - 7.0.0 / 7.0.1rc1 13. Fix Compatibility: None This information helps understand the vulnerability's details, scope of impact, and remediation status.

Goal Reached Thanks to every supporter — we hit 100%!

Zabbix CVE-2024-36461 Critical Vulnerability: Direct Memory Pointer Modification in JS Engine