Attackers Can Craft SNMP Traps to Fool Zabbix UI
CVE-2024-42332

3.7LOW

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 27 November 2024

What is CVE-2024-42332?

The researcher is showing that due to the way the SNMP trap log is parsed, an attacker can craft an SNMP trap with additional lines of information and have forged data show in the Zabbix UI. This attack requires SNMP auth to be off and/or the attacker to know the community/auth details. The attack requires an SNMP item to be configured as text on the target host.

Affected Version(s)

Zabbix 6.0.0 < 6.0.34

Zabbix 6.4.0 < 6.4.19

Zabbix 7.0.0 < 7.0.4

References

https://support.zabbix.com/browse/ZBX-25628

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 27, 2024

Credit

Zabbix wants to thank chamal for submitting this report on the HackerOne bug bounty platform.