Primary

Context

Zabbix API Excessive Information Disclosure Vulnerability

Vulnerability

Patched

A vulnerability exists in the Zabbix API in versions 5.0.0 through 5.0.45, 6.0.0 through 6.0.37, 7.0.0 through 7.0.8, and 7.2.0 through 7.2.2. The issue arises in the 'user.get' method, which returns all users sharing a common group with the calling user. This response includes sensitive information such as media details and login attempt records. The vulnerability is categorized under improper authorization, allowing authenticated Zabbix API users with low privileges to access excessive user information.

Impact

This vulnerability could lead to unauthorized information disclosure, allowing users to access sensitive data about other users in the same group, including media information and login attempt details.

Remediation

Users can upgrade to Zabbix versions 5.0.46rc1, 6.0.38rc1, 7.0.9rc1, or 7.2.3rc1 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

0.6

exploitability

4.8

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

0.6

exploitability

4.8

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zabbix API Excessive Information Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Zabbix

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating