CVE-2024-42331: 
Zabbix Server vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2024-42331) was discovered in Zabbix affecting the browser functionality. The vulnerability exists in the src/libs/zbxembed/browser.c file, where the esbrowserctor method retrieves a heap pointer from the Duktape JavaScript engine that is later used by the browserpusherror method. The issue was disclosed on November 27, 2024, and affects Zabbix installations with a CVSS v3.1 base score of 3.3 (Low) (Zabbix Support, NVD).

The vulnerability occurs when the heap pointer (wd->browser) obtained from the Duktape JavaScript engine is freed by garbage collection before being used by the browserpusherror method in src/libs/zbxembed/browser_error.c. This creates a use-after-free condition that could potentially be exploited. The vulnerability has been assigned CWE-416 (Use After Free) and received a CVSS v3.1 score of 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability has a low severity impact, primarily affecting system availability. According to the CVSS metrics, there is no impact on confidentiality or integrity, but it can affect system availability in a limited way (NVD).

The vulnerability has been fixed in Zabbix version 7.0.4rc1. Users are advised to upgrade to this version or later to address the vulnerability. The issue has been marked as fixed in the Debian security tracker for various distributions (Debian Tracker).