CVE-2024-42331

LOW EPSS 17.4%

Published Nov 27, 20241y ago · Modified Jun 17, 20261w ago

3.3 CVSS 3.1

Low

Published Nov 27, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection.

CVSS Details

Base Score

3.3

Exploitability

1.8

Impact

1.4

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability Low

Threat Intelligence

EPSS Exploit Probability

17.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 1

Vendor	Product	Version	Range
zabbix	zabbix	*	≥7.0.0 – <7.0.4

References 2

lists.debian.org https://lists.debian.org/debian-lts-announce/2024/12/msg00005.html
support.zabbix.com https://support.zabbix.com/browse/ZBX-25627

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.