DescriptionJavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1055175

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)bullseye1:5.0.8+dfsg-1vulnerable
sid, trixie1:7.0.0+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsourcebuster(not affected)


[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <no-dsa> (Minor issue)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
Upstream patch for 5.0.32:
applied in upstream release/5.0 branch:
vulnerable module introduced in (5.0.0alpha1)

Search for package or bug name: Reporting problems