CVE-2024-42328 | THREATINT

Description

When the webdriver for the Browser object downloads data from a HTTP server, the data pointer is set to NULL and is allocated only in curl_write_cb when receiving data. If the server's response is an empty document, then wd->data in the code below will remain NULL and an attempt to read from it will result in a crash.

PUBLISHED Reserved 2024-07-30 | Published 2024-11-27 | Updated 2024-11-27 | Assigner Zabbix

LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-690 Unchecked Return Value to NULL Pointer Dereference

CWE-476 NULL Pointer Dereference

Product status

Default status

unaffected

7.0.0 (git)

affected

Credits

Zabbix wants to thank zhutyra for submitting this report on the HackerOne bug bounty platform reporter

References

support.zabbix.com/browse/ZBX-25624

cve.org (CVE-2024-42328)

nvd.nist.gov (CVE-2024-42328)

Download JSON