Bugzilla – Bug 1213301
VUL-0: CVE-2023-29449: zabbix: JavaScript can cause uncontrolled CPU, memory, and disk I/O utilization
Last modified: 2023-07-20 20:41:22 UTC
CVE-2023-29449 JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access. Reference: https://support.zabbix.com/browse/ZBX-22589 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29449 https://bugzilla.redhat.com/show_bug.cgi?id=2222680 https://www.cve.org/CVERecord?id=CVE-2023-29449 https://support.zabbix.com/browse/ZBX-22589
Adding Boris, the openSUSE maintainer.
I think this: https://github.com/zabbix/zabbix/commit/d38426356892b400ee0eb2669a1677365ee2c002
As far as I can see, zbxembed is not available in 4.0. With that I would consider 12sp3/zabbix unaffected.
Reassigning to Boris. @Boris, if I am supposed to help somehow, fx. to send an Backports version update, let me know. Likewise, if you spot an error in my reasoning.
(In reply to Petr Gajdos from comment #6) > Reassigning to Boris. > > @Boris, if I am supposed to help somehow, fx. to send an Backports version > update, let me know. Likewise, if you spot an error in my reasoning. that is correct, as can be seen in linked support ticket on zabbix site. Fix Version/s 6.4.0rc1 [ 21104 ] Fix Version/s 6.2.8rc1 [ 21103 ] Fix Version/s 6.0.14rc1 [ 21102 ] Fix Version/s 5.0.32rc1 [ 21100 ] and we are on 6.0.17 version in Factory, and by the way if someone is admin on zabbix server (web interface) he almost by design has access to functionality that allows access to server (if agent is installed)