Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for zabbix. CVE-2023-29449[0]: | JavaScript preprocessing, webhooks and global scripts can cause | uncontrolled CPU, memory, and disk I/O utilization. | Preprocessing/webhook/global script configuration and testing are | only available to Administrative roles (Admin and Superadmin). | Administrative privileges should be typically granted to users who | need to perform tasks that require more control over the system. The | security risk is limited because not all users have this level of | access. https://support.zabbix.com/browse/ZBX-22589 Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62 applied in upstream release/5.0 branch: https://github.com/zabbix/zabbix/commit/c21cf2fa656b75733e3abc09d8f20690735b3f22 vulnerable module introduced in https://github.com/zabbix/zabbix/commit/18d2abfc40 (5.0.0alpha1) CVE-2023-29450[1]: | JavaScript pre-processing can be used by the attacker to gain access | to the file system (read-only access on behalf of user "zabbix") on | the Zabbix Server or Zabbix Proxy, potentially leading to | unauthorized access to sensitive data. https://support.zabbix.com/browse/ZBX-22588 Patch for 5.0.32rc1: https://github.com/zabbix/zabbix/commit/c3f1543e4 Patch for 6.0.14rc2: https://github.com/zabbix/zabbix/commit/76f6a80cb CVE-2023-29451[2]: | Specially crafted string can cause a buffer overrun in the JSON | parser library leading to a crash of the Zabbix Server or a Zabbix | Proxy. https://support.zabbix.com/browse/ZBX-22587 CVE-2023-29452[3]: | Currently, geomap configuration (Administration -> General -> | Geographical maps) allows using HTML in the field “Attribution text” | when selected “Other” Tile provider. https://support.zabbix.com/browse/ZBX-22981 Patches links: https://support.zabbix.com/browse/ZBX-22720 vulnerable geopmap widget introduced in version with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 (6.0.0alpha6) CVE-2023-29453[4]: | Templates do not properly consider backticks (`) as Javascript | string delimiters, and do not escape them as expected. Backticks are | used, since ES6, for JS template literals. If a template contains a | Go template action within a Javascript template literal, the | contents of the action can be used to terminate the literal, | injecting arbitrary Javascript code into the Go template. As ES6 | template literals are rather complex, and themselves can do string | interpolation, the decision was made to simply disallow Go template | actions from being used inside of them (e.g., "var a = {{.}}"), | since there is no obviously safe way to allow this behavior. This | takes the same approach as github.com/google/safehtml. With fix, | Template. Parse returns an Error when it encounters templates like | this, with an ErrorCode of value 12. This ErrorCode is currently | unexported but will be exported in the release of Go 1.21. Users who | rely on the previous behavior can re-enable it using the GODEBUG | flag jstmpllitinterp=1, with the caveat that backticks will now be | escaped. This should be used with caution. https://support.zabbix.com/browse/ZBX-23388 CVE-2023-29454[5]: | Stored or persistent cross-site scripting (XSS) is a type of XSS | where the attacker first sends the payload to the web application, | then the application saves the payload (e.g., in a database or | server-side text files), and finally, the application | unintentionally executes the payload for every victim visiting its | web pages. https://support.zabbix.com/browse/ZBX-22985 CVE-2023-29455[6]: | Reflected XSS attacks, also known as non-persistent attacks, occur | when a malicious script is reflected off a web application to the | victim's browser. The script is activated through a link, which | sends a request to a website with a vulnerability that enables | execution of malicious scripts. https://support.zabbix.com/browse/ZBX-22986 CVE-2023-29456[7]: | URL validation scheme receives input from a user and then parses it | to identify its various components. The validation scheme can ensure | that all URL components comply with internet standards. https://support.zabbix.com/browse/ZBX-22987 CVE-2023-29457[8]: | Reflected XSS attacks, occur when a malicious script is reflected | off a web application to the victim's browser. The script can be | activated through Action form fields, which can be sent as request | to a website with a vulnerability that enables execution of | malicious scripts. https://support.zabbix.com/browse/ZBX-22988 CVE-2023-29458[9]: | Duktape is an 3rd-party embeddable JavaScript engine, with a focus | on portability and compact footprint. When adding too many values in | valstack JavaScript will crash. This issue occurs due to bug in | Duktape 2.6 which is an 3rd-party solution that we use. This appears to be bug in Zabbix's use of duktape, not an issue in src:duktape per se https://support.zabbix.com/browse/ZBX-22989 duktape library introduced with https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2 (5.0.0alpha1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-29449 https://www.cve.org/CVERecord?id=CVE-2023-29449 [1] https://security-tracker.debian.org/tracker/CVE-2023-29450 https://www.cve.org/CVERecord?id=CVE-2023-29450 [2] https://security-tracker.debian.org/tracker/CVE-2023-29451 https://www.cve.org/CVERecord?id=CVE-2023-29451 [3] https://security-tracker.debian.org/tracker/CVE-2023-29452 https://www.cve.org/CVERecord?id=CVE-2023-29452 [4] https://security-tracker.debian.org/tracker/CVE-2023-29453 https://www.cve.org/CVERecord?id=CVE-2023-29453 [5] https://security-tracker.debian.org/tracker/CVE-2023-29454 https://www.cve.org/CVERecord?id=CVE-2023-29454 [6] https://security-tracker.debian.org/tracker/CVE-2023-29455 https://www.cve.org/CVERecord?id=CVE-2023-29455 [7] https://security-tracker.debian.org/tracker/CVE-2023-29456 https://www.cve.org/CVERecord?id=CVE-2023-29456 [8] https://security-tracker.debian.org/tracker/CVE-2023-29457 https://www.cve.org/CVERecord?id=CVE-2023-29457 [9] https://security-tracker.debian.org/tracker/CVE-2023-29458 https://www.cve.org/CVERecord?id=CVE-2023-29458 Please adjust the affected versions in the BTS as needed.