CVE-2023-32724 - Vulnerability Details - OpenCVE

Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00397.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Zabbix	Zabbix

Configuration 1 [-]

OR	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1::::::
	cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2::::::
	cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3::::::

No data.

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-3909-1	zabbix security update
EUVD	EUVD-2023-36951	Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html
https://support.zabbix.com/browse/ZBX-23391

History

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html

Wed, 18 Sep 2024 08:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Zabbix

Published: 2023-10-12T06:14:45.978Z

Updated: 2025-11-03T21:48:38.879Z

Reserved: 2023-05-11T21:25:43.368Z

Link: CVE-2023-32724

Vulnrichment

Updated: 2025-11-03T21:48:38.879Z

NVD

Status : Modified

Published: 2023-10-12T07:15:10.713

Modified: 2025-11-03T22:16:22.047

Link: CVE-2023-32724

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-32724", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2023-05-11T21:25:43.368Z", "datePublished": "2023-10-12T06:14:45.978Z", "dateUpdated": "2025-11-03T21:48:38.879Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Proxy", "Server"], "product": "Zabbix", "repo": "https://git.zabbix.com/", "vendor": "Zabbix", "versions": [{"changes": [{"at": "5.0.37rc1", "status": "unaffected"}], "lessThanOrEqual": "5.0.36", "status": "affected", "version": "5.0.0", "versionType": "git"}, {"changes": [{"at": "6.0.21rc1", "status": "unaffected"}], "lessThanOrEqual": "6.0.20", "status": "affected", "version": "6.0.0", "versionType": "git"}, {"changes": [{"at": "6.4.6rc1", "status": "unaffected"}], "lessThanOrEqual": "6.4.5", "status": "affected", "version": "6.4.0", "versionType": "git"}, {"changes": [{"at": "7.0.0alpha4", "status": "unaffected"}], "lessThanOrEqual": "7.0.0alpha3", "status": "affected", "version": "7.0.0alpha1", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "This vulnerability is found by Pavel Voit (pavelvoit) from HackerOne community."}], "datePublic": "2023-09-11T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation."}], "value": "Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation."}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2023-10-12T06:14:45.978Z"}, "references": [{"url": "https://support.zabbix.com/browse/ZBX-23391"}], "source": {"discovery": "EXTERNAL"}, "title": "JavaScript engine memory pointers are directly available for Zabbix users for modification", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.zabbix.com/browse/ZBX-23391", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:48:38.879Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-17T13:43:17.431115Z", "id": "CVE-2023-32724", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T13:53:20.580Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.zabbix.com/browse/ZBX-23391", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:48:38.879Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-32724", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-17T13:43:17.431115Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T13:53:13.541Z"}}], "cna": {"title": "JavaScript engine memory pointers are directly available for Zabbix users for modification", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "This vulnerability is found by Pavel Voit (pavelvoit) from HackerOne community."}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.zabbix.com/", "vendor": "Zabbix", "modules": ["Proxy", "Server"], "product": "Zabbix", "versions": [{"status": "affected", "changes": [{"at": "5.0.37rc1", "status": "unaffected"}], "version": "5.0.0", "versionType": "git", "lessThanOrEqual": "5.0.36"}, {"status": "affected", "changes": [{"at": "6.0.21rc1", "status": "unaffected"}], "version": "6.0.0", "versionType": "git", "lessThanOrEqual": "6.0.20"}, {"status": "affected", "changes": [{"at": "6.4.6rc1", "status": "unaffected"}], "version": "6.4.0", "versionType": "git", "lessThanOrEqual": "6.4.5"}, {"status": "affected", "changes": [{"at": "7.0.0alpha4", "status": "unaffected"}], "version": "7.0.0alpha1", "versionType": "git", "lessThanOrEqual": "7.0.0alpha3"}], "defaultStatus": "unaffected"}], "datePublic": "2023-09-11T10:00:00.000Z", "references": [{"url": "https://support.zabbix.com/browse/ZBX-23391"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.", "supportingMedia": [{"type": "text/html", "value": "Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2023-10-12T06:14:45.978Z"}}}, "cveMetadata": {"cveId": "CVE-2023-32724", "state": "PUBLISHED", "dateUpdated": "2025-11-03T21:48:38.879Z", "dateReserved": "2023-05-11T21:25:43.368Z", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "datePublished": "2023-10-12T06:14:45.978Z", "assignerShortName": "Zabbix"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CAED9EA-BFA1-4BCF-8323-97AD46AC28C3", "versionEndIncluding": "5.0.36", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "531CCCBF-46AD-4988-8A9D-ED4FD5208C71", "versionEndIncluding": "6.0.20", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "868F271E-2595-4D01-BF53-46460F98891A", "versionEndIncluding": "6.4.5", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "93EB5757-7F98-4428-9616-C30A647A6612", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "DA00BDB5-433F-44E5-87AC-DA01C64B5DB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "98C46C92-9D86-45CD-88FE-DFBB5502BB88", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation."}, {"lang": "es", "value": "El puntero de memoria est\u00e1 en una propiedad del objeto Ducktape. Esto conduce a m\u00faltiples vulnerabilidades relacionadas con el acceso directo y la manipulaci\u00f3n de la memoria."}], "id": "CVE-2023-32724", "lastModified": "2025-11-03T22:16:22.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.3, "source": "security@zabbix.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-12T07:15:10.713", "references": [{"source": "security@zabbix.com", "tags": ["Vendor Advisory"], "url": "https://support.zabbix.com/browse/ZBX-23391"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.zabbix.com/browse/ZBX-23391"}], "sourceIdentifier": "security@zabbix.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "security@zabbix.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}