1213307 – (CVE-2023-29450) VUL-0: CVE-2023-29450: zabbix: unautorized file system access in JS preprocessing

Bug 1213307 (CVE-2023-29450) - VUL-0: CVE-2023-29450: zabbix: unautorized file system access in JS preprocessing

Summary: VUL-0: CVE-2023-29450: zabbix: unautorized file system access in JS preproces...

Status:	RESOLVED FIXED

Alias:	CVE-2023-29450

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Boris Manojlovic
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/372379/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-29450:8.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-14 06:37 UTC by Alexander Bergmann
Modified:	2023-07-31 12:30 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2023-07-14 06:37:27 UTC

CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.

Affected versions are not listed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29450
https://bugzilla.redhat.com/show_bug.cgi?id=2222684
https://www.cve.org/CVERecord?id=CVE-2023-29450
https://support.zabbix.com/browse/ZBX-22588

Comment 1 Petr Gajdos 2023-07-19 10:23:21 UTC

Adding openSUSE maintainer.

Comment 2 Petr Gajdos 2023-07-19 12:49:12 UTC

This:
https://github.com/zabbix/zabbix/commit/c34f799cbb8739d69500fe3356f8fef5e2d5077c

Comment 3 Petr Gajdos 2023-07-20 11:24:01 UTC

Used this for release/5.0:
https://github.com/zabbix/zabbix/commit/5fd3d2566257bf1585dbea13e07f5333e7988942

Will submit for 12sp3/zabbix.

Comment 4 Petr Gajdos 2023-07-20 11:28:13 UTC

Reassigning to Boris.

@Boris, if I am supposed to help somehow, fx. to send an Backports version update, let me know. Likewise, if you spot an error in my reasoning.

Comment 6 Boris Manojlovic 2023-07-20 20:45:40 UTC

(In reply to Petr Gajdos from comment #4)
> Reassigning to Boris.
> 
> @Boris, if I am supposed to help somehow, fx. to send an Backports version
> update, let me know. Likewise, if you spot an error in my reasoning.

affected versions are listed in linked ticket with fixes
Fix Version/s 		5.0.34rc1 [ 21401 ]
Fix Version/s 		6.0.16rc1 [ 21402 ]
Fix Version/s 		6.4.2rc1 [ 21404 ]
Fix Version/s 		7.0.0alpha1 (master) [ 21209 ]
Fix Version/s 		6.2.9rc2 [ 21403 ]

as we are on 6.0.17 in Factory we are clear

Comment 7 Maintenance Automation 2023-07-31 12:30:36 UTC

SUSE-SU-2023:3029-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213307
CVE References: CVE-2023-29450
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): zabbix-4.0.12-4.24.1
SUSE Linux Enterprise Server 12 SP5 (src): zabbix-4.0.12-4.24.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): zabbix-4.0.12-4.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.