What is CVE-2023-29449?

CVE-2023-29449 is a vulnerability that allows JavaScript preprocessing, webhooks, and global scripts to cause uncontrolled CPU, memory, and disk I/O utilization in Zabbix versions 5.0.31 up to and including 6.4.4.

How severe is CVE-2023-29449?

CVE-2023-29449 has a severity score of 4.9, which is considered medium.

Can non-administrative roles exploit CVE-2023-29449?

No, the configuration and testing of preprocessing, webhooks, and global scripts are only available to Administrative roles (Admin and Superadmin).

How can I fix CVE-2023-29449?

To fix CVE-2023-29449, it is recommended to upgrade to a Zabbix version higher than 6.4.4 or apply the necessary patches provided by Zabbix. Additionally, make sure to grant administrative privileges responsibly.

Where can I find more information about CVE-2023-29449?

You can find more information about CVE-2023-29449 at the following reference link: [Support Ticket ZBX-22589](https://support.zabbix.com/browse/ZBX-22589).

Vulnerability/
CVE-2023-29449

medium

5.9

CWE

770 400

13/7/2023

22/10/2024

CVE-2023-29449: Limited control of resource utilization in JS preprocessing

First published: Thu Jul 13 2023(Updated: )

JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access.

Credit: security@zabbix.com security@zabbix.com

Affected Software	Affected Version	How to fix
Zabbix Zabbix	<=5.0.31
Zabbix Zabbix	>=6.0.0<=6.0.13
Zabbix Zabbix	>=6.4.1<=6.4.4
Zabbix Zabbix	=6.4.0-alpha1
Zabbix Zabbix	=6.4.0-beta1
Zabbix Zabbix	=6.4.0-beta2
Zabbix Zabbix	=6.4.0-beta3
Zabbix Zabbix	=6.4.0-beta4
Zabbix Zabbix	=6.4.0-beta5
Zabbix Zabbix	=6.4.0-beta6
Zabbix Zabbix	=6.4.0-rc2
Zabbix Zabbix	=6.4.0-rc3
Zabbix Zabbix	=6.4.0-rc4

Never miss a vulnerability like this again

Reference Links

https://support.zabbix.com/browse/ZBX-22589

Frequently Asked Questions

What is CVE-2023-29449?
CVE-2023-29449 is a vulnerability that allows JavaScript preprocessing, webhooks, and global scripts to cause uncontrolled CPU, memory, and disk I/O utilization in Zabbix versions 5.0.31 up to and including 6.4.4.
How severe is CVE-2023-29449?
CVE-2023-29449 has a severity score of 4.9, which is considered medium.
Can non-administrative roles exploit CVE-2023-29449?
No, the configuration and testing of preprocessing, webhooks, and global scripts are only available to Administrative roles (Admin and Superadmin).
How can I fix CVE-2023-29449?
To fix CVE-2023-29449, it is recommended to upgrade to a Zabbix version higher than 6.4.4 or apply the necessary patches provided by Zabbix. Additionally, make sure to grant administrative privileges responsibly.
Where can I find more information about CVE-2023-29449?
You can find more information about CVE-2023-29449 at the following reference link: [Support Ticket ZBX-22589](https://support.zabbix.com/browse/ZBX-22589).

collector/nvd-latest
collector/nvd-api
collector/nvd-index
agent/weakness
agent/author
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/severity
agent/tags
agent/title
agent/description
agent/first-publish-date
agent/event
vendor/zabbix
canonical/zabbix zabbix
version/zabbix zabbix/5.0.31
version/zabbix zabbix/6.0.0
version/zabbix zabbix/6.0.13
version/zabbix zabbix/6.4.1
version/zabbix zabbix/6.4.4
version/zabbix zabbix/6.4.0-alpha1
version/zabbix zabbix/6.4.0-beta1
version/zabbix zabbix/6.4.0-beta2
version/zabbix zabbix/6.4.0-beta3
version/zabbix zabbix/6.4.0-beta4
version/zabbix zabbix/6.4.0-beta5
version/zabbix zabbix/6.4.0-beta6
version/zabbix zabbix/6.4.0-rc2
version/zabbix zabbix/6.4.0-rc3
version/zabbix zabbix/6.4.0-rc4