Authorized User Can Add Themselves to Any Group, Except Disabled or Restricted Ones
CVE-2024-36467

7.5HIGH

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 27 November 2024

What is CVE-2024-36467?

An authenticated user with API access, particularly those with permission to the user.update API endpoint, can exploit a vulnerability in Zabbix. This security issue allows the user to add themselves to any group, including privileged groups like Zabbix Administrators. However, the exploitation is limited to groups that are not disabled or have restricted GUI access. This highlights a potential risk for user role management and group permissions within Zabbix, necessitating immediate attention to protect sensitive data and maintain system integrity.

Affected Version(s)

Zabbix 5.0.0 <= 5.0.42

Zabbix 6.0.0 <= 6.0.32

Zabbix 6.4.0 <= 6.4.17

References

https://support.zabbix.com/browse/ZBX-25614

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 27, 2024
Vulnerability Reserved
May 28, 2024

Credit

Zabbix wants to thank Márk Rákóczi for submitting this report on the HackerOne bug bounty platform.