Bug 1213307 (CVE-2023-29450)

Summary:	VUL-0: CVE-2023-29450: zabbix: unautorized file system access in JS preprocessing
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Alexander Bergmann <abergmann>
Component:	Incidents	Assignee:	Boris Manojlovic <boris>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	boris, pgajdos, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/372379/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-29450:8.5:(AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Alexander Bergmann 2023-07-14 06:37:27 UTC

CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.

Affected versions are not listed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29450
https://bugzilla.redhat.com/show_bug.cgi?id=2222684
https://www.cve.org/CVERecord?id=CVE-2023-29450
https://support.zabbix.com/browse/ZBX-22588

Comment 1 Petr Gajdos 2023-07-19 10:23:21 UTC

Adding openSUSE maintainer.

Comment 2 Petr Gajdos 2023-07-19 12:49:12 UTC

This:
https://github.com/zabbix/zabbix/commit/c34f799cbb8739d69500fe3356f8fef5e2d5077c

Comment 3 Petr Gajdos 2023-07-20 11:24:01 UTC

Used this for release/5.0:
https://github.com/zabbix/zabbix/commit/5fd3d2566257bf1585dbea13e07f5333e7988942

Will submit for 12sp3/zabbix.

Comment 4 Petr Gajdos 2023-07-20 11:28:13 UTC

Reassigning to Boris.

@Boris, if I am supposed to help somehow, fx. to send an Backports version update, let me know. Likewise, if you spot an error in my reasoning.

Comment 6 Boris Manojlovic 2023-07-20 20:45:40 UTC

(In reply to Petr Gajdos from comment #4)
> Reassigning to Boris.
> 
> @Boris, if I am supposed to help somehow, fx. to send an Backports version
> update, let me know. Likewise, if you spot an error in my reasoning.

affected versions are listed in linked ticket with fixes
Fix Version/s 		5.0.34rc1 [ 21401 ]
Fix Version/s 		6.0.16rc1 [ 21402 ]
Fix Version/s 		6.4.2rc1 [ 21404 ]
Fix Version/s 		7.0.0alpha1 (master) [ 21209 ]
Fix Version/s 		6.2.9rc2 [ 21403 ]

as we are on 6.0.17 in Factory we are clear

Comment 7 Maintenance Automation 2023-07-31 12:30:36 UTC

SUSE-SU-2023:3029-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213307
CVE References: CVE-2023-29450
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): zabbix-4.0.12-4.24.1
SUSE Linux Enterprise Server 12 SP5 (src): zabbix-4.0.12-4.24.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): zabbix-4.0.12-4.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.