CVE-2025-27238

EUVD-2025-29034
Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.5 LOW
ADJACENT_NETWORK
LOW
LOW
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
zabbixzabbix
7.0.0 ≤
𝑥
< 7.0.14
zabbixzabbix
7.2.0 ≤
𝑥
< 7.2.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
zabbix
bookworm
1:6.0.14+dfsg-1
not-affected
bullseye
1:5.0.8+dfsg-1
not-affected
bullseye (security)
1:5.0.47+dfsg-0+deb11u1
fixed
forky
1:7.0.22+dfsg-1
fixed
sid
1:7.0.22+dfsg-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://support.zabbix.com/browse/ZBX-26988