CVE-2024-42332

Published: Nov 27, 2024Modified: Nov 3, 2025

3.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.2 / Impact: 1.4

Source: security@zabbix.com (Secondary)

Description

The researcher is showing that due to the way the SNMP trap log is parsed, an attacker can craft an SNMP trap with additional lines of information and have forged data show in the Zabbix UI. This attack requires SNMP auth to be off and/or the attacker to know the community/auth details. The attack requires an SNMP item to be configured as text on the target host.

Affected (3)

Products: Zabbix: Zabbix

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Zabbix Zabbix	From 6.0.0 to 6.0.35
Zabbix Zabbix	From 6.4.0 to 6.4.20
Zabbix Zabbix	From 7.0.0 to 7.0.3

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (2)

https://support.zabbix.com/browse/ZBX-25628

Source: security@zabbix.com

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2024/12/msg00005.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.