| Name | CVE-2024-36464 |
| Description | When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3984-1 |
| Debian Bugs | 1088689 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| zabbix (PTS) | bullseye | 1:5.0.8+dfsg-1 | vulnerable |
| bullseye (security) | 1:5.0.45+dfsg-1+deb11u1 | fixed |
| bookworm | 1:6.0.14+dfsg-1 | vulnerable |
| sid, trixie | 1:7.0.6+dfsg-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| zabbix | source | bullseye | 1:5.0.45+dfsg-1+deb11u1 | | DLA-3984-1 | |
| zabbix | source | (unstable) | (unfixed) | | | 1088689 |
Notes
https://support.zabbix.com/browse/ZBX-25630
Despite upstream claiming fixed in 6.0.30rc1, can reproduce with 6.0.36 (package from upstream)
Can also reproduce it in 5.0.45 and 7.0.6+dfsg-1.