CVE-2024-45700

Published Apr 2, 2025

Last updated 4 months ago

CVSS medium 6.0

Overview

Description
Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an excessive amount of memory and perform CPU-intensive decompression operations, ultimately leading to a service crash.
Source
security@zabbix.com
NVD status
Modified
Products
zabbix

Risk scores

CVSS 4.0

Type
Secondary
Base score
6
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

security@zabbix.com
CWE-770

Social media

Hype score
Not currently trending

  1. 🚨 Uwaga administratorzy Zabbix! Wykryto lukę CVE-2024-45700 umożliwiającą atak DoS przez wyczerpanie zasobów. Problem naprawiono w wersjach: 6.0.39rc1, 7.0.10rc1, 7.2.4rc1 i 7.4.0alpha1 Szczegóły: https://t.co/7Y8tqsSuRq #CyberSecurity #InfoSec #ZabbixSecurity

    @arkady86

    3 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-45700 Zabbix DoS Vulnerability via Uncontrolled Resource Exhaustion https://t.co/f1XLZ1X869

    @VulmonFeeds

    2 Apr 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Zabbix server DoS vulnerability (CVE-2024-45700) #CVE202445700 #CyberSecurity #DoSVulnerability #Zabbix https://t.co/dd72hLbbMa https://t.co/0bA5AZWEzG

    @SystemTek_UK

    2 Apr 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.CVE-2025-49641
  2. A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.CVE-2025-27236
  3. The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change.CVE-2025-27231
  4. A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field.CVE-2025-27240
  5. Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them.CVE-2025-27238

References

Sources include official advisories and independent security research.