Zabbix, an open-source application monitoring tool, is warning its customers of a new critical vulnerability that could lead to full system compromise.
The vulnerability tracked as CVE-2024-42327 with a CVSS score of 9.9, the SQL injection bug can be exploited by users with API access. A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability.
“An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.”
Zabbix said three product versions are affected and should be upgraded to the latest available:
- 6.0.0…6.0.31
- 6.4.0…6.4.16
- 7.0.0
Upgrading to versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1 respectively will protect users from the privilege escalation attacks.
The vulnerability was discovered by security researcher Márk Rákóczi and reported through the HackerOne bug bounty platform. Zabbix has acknowledged the report and promptly released patches to address the issue
