Zabbix vulnerable to critical SQL injection bug

Zabbix vulnerable to critical SQL injection bug

Zabbix urges users to upgrade immediately because of a serious bug in the open source platform.

The Zabbix monitoring platform is vulnerable to a critical bug. CVE-2024-42327 allows users with low privileges on the front-end to escalate those privileges via SQL injection and possibly keep ugly house. Other roles with API access can also exploit the bug. Given its severity, the CVSS score is 9.9.

read also

Zabbix vulnerable to critical SQL injection bug

A patch has since become available. Zabbix urges users to install it immediately. Subsequent editions of the open source platform are susceptible to the bug:

  • 6.0.0 to 6.0.31
  • 6.4.0 to 6.4.16
  • 7.0.0

An upgrade to 6.0.32rc1, 6.4.17rc1 and 7.0.1rc1 respectively brings relief.

‘Unforgivable

SQL injections have been around forever, and are easy to exploit. On the other hand, it is not that difficult for organizations to kick such bugs flat before software goes into production. Therefore, the U.S. FBI and CISA generally label SQL injection bugs as inexcusable.

Zabbix itself shares more details on its Web site. Now that the bug is common knowledge, Zabbix administrators should take quick action. After all, a hacker who can somehow obtain login credentials for a user account can easily escalate his access until the leak is closed.