New Zabbix packages have been released for Debian GNU/Linux 11 (Bullseye) LTS to address multiple security vulnerabilities that may enable denial of service, information disclosure, or remote code inclusion. These encompass variations in execution time for failed login attempts, vulnerabilities related to cross-site scripting, and a denial-of-service vulnerability stemming from resource exhaustion.

[DLA 4131-1] zabbix security update

[SECURITY] [DLA 4131-1] zabbix security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4131-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 19, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : zabbix
Version : 1:5.0.46+dfsg-1+deb11u1
CVE ID : CVE-2024-36469 CVE-2024-42325 CVE-2024-45699 CVE-2024-45700
Debian Bug :

Several security vulnerabilities have been discovered in zabbix, a
network monitoring solution, potentially among other effects allowing
denial of service, information disclosure or remote code inclusion.

CVE-2024-36469

Execution time for an unsuccessful login differs when using a
non-existing username compared to using an existing one.

CVE-2024-42325

Zabbix API user.get returns all users that share common group with the
calling user. This includes media and other information, such as login
attempts, etc.

CVE-2024-45699

The endpoint /zabbix.php?action=export.valuemaps suffers from a
Cross-Site Scripting vulnerability via the backurl parameter. This is
caused by the reflection of user-supplied data without appropriate HTML
escaping or output encoding. As a result, a JavaScript payload may be
injected into the above endpoint causing it to be executed within the
context of the victim's browser.

CVE-2024-45700

Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled
resource exhaustion. An attacker can send specially crafted requests to
the server, which will cause the server to allocate an excessive amount
of memory and perform CPU-intensive decompression operations, ultimately
leading to a service crash.

For Debian 11 bullseye, these problems have been fixed in version
1:5.0.46+dfsg-1+deb11u1.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS