Authorized User Can Add Themselves to Any Group, Except Disabled or Restricted Ones
CVE-2024-36467

7.5HIGH

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 27 November 2024

What is CVE-2024-36467?

An authenticated user with API access, particularly those with permission to the user.update API endpoint, can exploit a vulnerability in Zabbix. This security issue allows the user to add themselves to any group, including privileged groups like Zabbix Administrators. However, the exploitation is limited to groups that are not disabled or have restricted GUI access. This highlights a potential risk for user role management and group permissions within Zabbix, necessitating immediate attention to protect sensitive data and maintain system integrity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Zabbix 5.0.0 <= 5.0.42

Zabbix 6.0.0 <= 6.0.32

Zabbix 6.4.0 <= 6.4.17

References

https://support.zabbix.com/browse/ZBX-25614

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 27, 2024
Vulnerability Reserved
May 28, 2024

Credit

Zabbix wants to thank Márk Rákóczi for submitting this report on the HackerOne bug bounty platform.

JSON

Zabbix

What is CVE-2024-36467?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.