CVE-2024-36464 - Exposing Passwords in YAML When Exporting Media Types – What You Need to Know

In June 2024, the vulnerability CVE-2024-36464 caught the attention of security professionals and system administrators working with Zabbix. This issue is described as follows: When users export media types, sensitive passwords are included in the exported YAML file in plain text. At first glance, this can sound alarming—no one wants passwords sitting around unprotected.

But let's dig deeper. In this long read, I’ll explain what this vulnerability actually means, when it matters (and when it doesn’t), and illustrate the problem with a simple code snippet. By the end, you’ll know what to do and what to watch for (and what you don’t have to panic about).

What Is CVE-2024-36464?

CVE-2024-36464 refers to an information exposure vulnerability. Specifically, when an authorized user in Zabbix exports a media type configuration (such as one for an email or chat notification), the resulting YAML file will contain the media password in plain, human-readable text.

Why Is That a Concern?

Exported configurations are sometimes shared between admins or stored in backup repositories. Best security practices say—never store passwords in plain text, even if it’s only accessible to privileged users. Attackers gaining access to YAML files could harvest passwords for external services (like SMTP servers or chatbots).

Here’s what a real YAML export could look like (simplified for clarity)

media_types:
  - name: "Email alerts"
    type: smtp
    smtp_server: "smtp.example.com"
    smtp_port: 587
    smtp_username: "zabbix@example.com"
    smtp_password: "My$up3rS3cretP@sswrd"  # <-- Sensitive data exposed!

As you can see, the smtp_password field is not masked or encrypted.

How Bad Is It… Really?

Here’s the important part:
To export media types, you need privileged Zabbix access (basically ‘Admin’ permissions). If a user can export media types, they already have access to the stored passwords in the web interface.

In other words, there is no privilege escalation—this does not let users see passwords they couldn’t already access. The risk is mainly about handling exported files carefully and following best practices.

Exploit Details

There is no remote or unauthorized exploitation.
This is a “best practices” problem, not a bug that lets outsiders in. The only “exploit” is if:

Someone with the correct permissions exports a media type.

- That exported file—containing passwords—is then mishandled (uploaded to public git repo, shared insecurely, etc).

Someone else (unauthorized) later accesses the file.

Security impact:
Low to negligible if standard practices are followed.
Could raise risks if exported YAML files are widely shared or not deleted securely.

How to Stay Safe

- Be careful where you store and send exported YAMLs. Treat them as you would any password-containing file.

Delete exported files once they are imported or no longer needed.

If possible, consider removing or masking passwords before sharing such files externally.

Official References and Fixes

- CVE-2024-36464 (NIST entry)
- Zabbix Official Security Page
- Zabbix Documentation: Export/Import of Media Types

As of June 2024:
No upstream patch is available, because the Zabbix team considers this a question of operator responsibility, not a classic vulnerability.

Conclusion

CVE-2024-36464 highlights the importance of securely handling configuration exports—not just in Zabbix, but in all enterprise software. While the risk is low (since admin permissions are required), you should always treat exported files as sensitive and make sure they’re protected, just like any other password list.

Stay safe, and keep your passwords out of the wild!

*Written exclusively for you, in simple, clear language.

Timeline

Published on: 11/27/2024 14:15:17 UTC