CVE-2023-32722 - Vulnerability Details - OpenCVE

The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Zabbix	Zabbix

Configuration 1 [-]

OR	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1::::::
	cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2::::::
	cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3::::::

No data.

References

Link	Providers
https://support.zabbix.com/browse/ZBX-23390

History

Wed, 18 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Zabbix

Published: 2023-10-12T06:06:52.182Z

Updated: 2024-09-18T15:37:01.539Z

Reserved: 2023-05-11T21:25:43.367Z

Link: CVE-2023-32722

Vulnrichment

Updated: 2024-08-02T15:25:36.599Z

NVD

Status : Modified

Published: 2023-10-12T07:15:10.217

Modified: 2024-11-21T08:03:54.820

Link: CVE-2023-32722

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32722", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2023-05-11T21:25:43.367Z", "datePublished": "2023-10-12T06:06:52.182Z", "dateUpdated": "2024-09-18T15:37:01.539Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Agent", "Proxy", "Server"], "product": "Zabbix", "repo": "https://git.zabbix.com/", "vendor": "Zabbix", "versions": [{"changes": [{"at": "6.0.21rc1", "status": "unaffected"}], "lessThanOrEqual": "6.0.20", "status": "affected", "version": "6.0.0", "versionType": "git"}, {"changes": [{"at": "6.4.6rc1", "status": "unaffected"}], "lessThanOrEqual": "6.4.5", "status": "affected", "version": "6.4.0", "versionType": "git"}, {"changes": [{"at": "7.0.0alpha4", "status": "unaffected"}], "lessThanOrEqual": "7.0.0alpha3", "status": "affected", "version": "7.0.0alpha1", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "This vulnerability is found by Koffi (kandersonko) from HackerOne community."}], "datePublic": "2023-09-11T09:55:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open."}], "value": "The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open."}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2023-10-12T06:06:52.182Z"}, "references": [{"url": "https://support.zabbix.com/browse/ZBX-23390"}], "source": {"discovery": "UNKNOWN"}, "title": "Stack-buffer Overflow in library module zbxjson", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:36.599Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.zabbix.com/browse/ZBX-23390", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "zabbix", "product": "zabbix", "cpes": ["cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.0.0", "status": "affected", "lessThanOrEqual": "6.0.20", "versionType": "custom"}, {"version": "6.4.0", "status": "affected", "lessThanOrEqual": "6.4.5", "versionType": "custom"}]}, {"vendor": "zabbix", "product": "zabbix", "cpes": ["cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.0.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T15:26:49.479889Z", "id": "CVE-2023-32722", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T15:37:01.539Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.zabbix.com/browse/ZBX-23390", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:36.599Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-32722", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-18T15:26:49.479889Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*"], "vendor": "zabbix", "product": "zabbix", "versions": [{"status": "affected", "version": "6.0.0", "versionType": "custom", "lessThanOrEqual": "6.0.20"}, {"status": "affected", "version": "6.4.0", "versionType": "custom", "lessThanOrEqual": "6.4.5"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3:*:*:*:*:*:*"], "vendor": "zabbix", "product": "zabbix", "versions": [{"status": "affected", "version": "7.0.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T15:36:51.133Z"}}], "cna": {"title": "Stack-buffer Overflow in library module zbxjson", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "This vulnerability is found by Koffi (kandersonko) from HackerOne community."}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.zabbix.com/", "vendor": "Zabbix", "modules": ["Agent", "Proxy", "Server"], "product": "Zabbix", "versions": [{"status": "affected", "changes": [{"at": "6.0.21rc1", "status": "unaffected"}], "version": "6.0.0", "versionType": "git", "lessThanOrEqual": "6.0.20"}, {"status": "affected", "changes": [{"at": "6.4.6rc1", "status": "unaffected"}], "version": "6.4.0", "versionType": "git", "lessThanOrEqual": "6.4.5"}, {"status": "affected", "changes": [{"at": "7.0.0alpha4", "status": "unaffected"}], "version": "7.0.0alpha1", "versionType": "git", "lessThanOrEqual": "7.0.0alpha3"}], "defaultStatus": "unaffected"}], "datePublic": "2023-09-11T09:55:00.000Z", "references": [{"url": "https://support.zabbix.com/browse/ZBX-23390"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.", "supportingMedia": [{"type": "text/html", "value": "The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2023-10-12T06:06:52.182Z"}}}, "cveMetadata": {"cveId": "CVE-2023-32722", "state": "PUBLISHED", "dateUpdated": "2024-09-18T15:37:01.539Z", "dateReserved": "2023-05-11T21:25:43.367Z", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "datePublished": "2023-10-12T06:06:52.182Z", "assignerShortName": "Zabbix"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "531CCCBF-46AD-4988-8A9D-ED4FD5208C71", "versionEndIncluding": "6.0.20", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "868F271E-2595-4D01-BF53-46460F98891A", "versionEndIncluding": "6.4.5", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "93EB5757-7F98-4428-9616-C30A647A6612", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "DA00BDB5-433F-44E5-87AC-DA01C64B5DB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "98C46C92-9D86-45CD-88FE-DFBB5502BB88", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open."}, {"lang": "es", "value": "El m\u00f3dulo zabbix/src/libs/zbxjson es vulnerable a un desbordamiento del b\u00fafer al analizar archivos JSON a trav\u00e9s de zbx_json_open."}], "id": "CVE-2023-32722", "lastModified": "2024-11-21T08:03:54.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security@zabbix.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-12T07:15:10.217", "references": [{"source": "security@zabbix.com", "tags": ["Vendor Advisory"], "url": "https://support.zabbix.com/browse/ZBX-23390"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.zabbix.com/browse/ZBX-23390"}], "sourceIdentifier": "security@zabbix.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "security@zabbix.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}