CVE-2024-42327: SQL injection in user.get API
First published: Wed Nov 27 2024(Updated: )
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.
Credit: security@zabbix.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zabbix Server |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-42327?
CVE-2024-42327 is considered a critical severity vulnerability due to its potential for SQL injection exploitation.
Who is affected by CVE-2024-42327?
Any non-admin user account on the Zabbix frontend that has the default User role or any role granting API access is affected by CVE-2024-42327.
How do I fix CVE-2024-42327?
To remediate CVE-2024-42327, it is recommended to update to the latest version of Zabbix that addresses this vulnerability.
What type of vulnerability is CVE-2024-42327?
CVE-2024-42327 is classified as an SQL injection vulnerability.
What components of Zabbix are affected by CVE-2024-42327?
The CUser class in the addRelatedObjects function is specifically affected by CVE-2024-42327.
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/type
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- collector/the-register
- source/The Register
- alias/CVE-2024-42327
- agent/references
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/zabbix
- canonical/zabbix server