CVE-2024-36460: 
Zabbix Server vulnerability analysis and mitigation

A security vulnerability identified as CVE-2024-36460 affects the Zabbix monitoring solution's front-end audit log functionality. The vulnerability was discovered and reported on August 9, 2024, affecting multiple versions of Zabbix including versions 5.0.0 through 5.0.42, 6.0.0 through 6.0.30, 6.4.0 through 6.4.15, and 7.0.0. The issue allows the viewing of unprotected plaintext passwords in the front-end audit log (Zabbix Issue).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The technical assessment indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, needs no user interaction, has unchanged scope, and can impact both confidentiality and integrity while not affecting availability (Ubuntu CVE).

The vulnerability exposes sensitive password data that can be extracted from the audit log. This exposure could lead to impersonation attacks and unauthorized access to systems. The high confidentiality and integrity impact ratings indicate that this vulnerability could result in significant data exposure and potential system compromise (Zabbix Issue).

Fixed versions have been released including 5.0.43rc1, 6.0.31rc1, 6.4.16rc1, 7.0.1rc1, and 7.2.0alpha1. Various Linux distributions have also released patches, with Debian providing fixes in version 1:5.0.45+dfsg-1+deb11u1 for bullseye and 1:7.0.10+dfsg-1 for sid (Debian Tracker).