CVE-2024-42325

Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.zabbix.com/browse/ZBX-26258	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::

History

08 Oct 2025, 15:32

Type	Values Removed	Values Added
Summary		(es) La API de Zabbix user.get devuelve todos los usuarios que comparten un grupo con el usuario que realiza la llamada. Esto incluye información multimedia y otros datos, como intentos de inicio de sesión, etc.
First Time		Zabbix zabbix Zabbix
References	~~() https://support.zabbix.com/browse/ZBX-26258 -~~	() https://support.zabbix.com/browse/ZBX-26258 - Vendor Advisory
CPE		cpe:2.3:a:zabbix:zabbix::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 3.5

02 Apr 2025, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-02 07:15

Updated : 2025-10-08 15:32

NVD link : CVE-2024-42325

Mitre link : CVE-2024-42325

CVE.ORG link : CVE-2024-42325

JSON object : View

Products Affected

zabbix

zabbix

CWE

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

{"id": "CVE-2024-42325", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}], "cvssMetricV40": [{"type": "Secondary", "source": "security@zabbix.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-02T07:15:41.240", "references": [{"url": "https://support.zabbix.com/browse/ZBX-26258", "tags": ["Vendor Advisory"], "source": "security@zabbix.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@zabbix.com", "description": [{"lang": "en", "value": "CWE-359"}]}], "descriptions": [{"lang": "en", "value": "Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc."}, {"lang": "es", "value": "La API de Zabbix user.get devuelve todos los usuarios que comparten un grupo con el usuario que realiza la llamada. Esto incluye informaci\u00f3n multimedia y otros datos, como intentos de inicio de sesi\u00f3n, etc."}], "lastModified": "2025-10-08T15:32:28.107", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9D57D87-7684-4BF9-AB1E-C86ACF6BC2F2", "versionEndExcluding": "5.0.46", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "929F76B0-687E-4A4A-B4D9-D39CAC0FEFAE", "versionEndExcluding": "6.0.38", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62B11380-796B-4BB7-97C5-31E5F4E997FE", "versionEndExcluding": "7.0.9", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CBB5F294-AB64-4047-A1C6-2C3ACF3251B3", "versionEndExcluding": "7.2.3", "versionStartIncluding": "7.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@zabbix.com"}