CVE-2014-3005 — XML External Entity (XXE) Injection in Zabbix

CWE-611 — XML External Entity (XXE) Injection12 documents6 sources

Severity

9.8CRITICALNVD

EPSS

4.3%

top 11.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix Fedoraproject Fedora

Timeline

PublishedFeb 1

Latest updateJun 15

Description

XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/zabbix< zabbix 1:2.2.5+dfsg-1 (bookworm)

▶Debianzabbix/zabbix< 1:2.2.5+dfsg-1+3

▶Ubuntuzabbix/zabbix< 1:2.2.2+dfsg-1ubuntu1+esm4+3

▶NVDzabbix/zabbix41 versions+40

Also affects: Fedora 19, 20

Patches

Patch: support.zabbix.com ↗Patch: support.zabbix.com ↗

🔴Vulnerability Details

OSV

zabbix vulnerabilities↗2022-06-15

▶

GHSA

GHSA-5xxv-j4hw-gp2p: XML external entity (XXE) vulnerability in Zabbix 1↗2022-05-14

▶

OSV

CVE-2014-3005: XML external entity (XXE) vulnerability in Zabbix 1↗2018-02-01

▶

📋Vendor Advisories

Ubuntu

Zabbix vulnerabilities↗2022-06-15

▶

Debian

CVE-2014-3005: zabbix - XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x ...↗2014

▶

💬Community

Bugzilla

CVE-2014-3005 zabbix: local file inclusion via XXE attack [epel-7]↗2014-06-17

▶

Bugzilla

CVE-2014-3005 zabbix20: zabbix: local file inclusion via XXE attack [epel-all]↗2014-06-17

▶

Bugzilla

CVE-2014-3005 zabbix: local file inclusion via XXE attack [epel-6]↗2014-06-17

▶

Bugzilla

CVE-2014-3005 zabbix: local file inclusion via XXE attack↗2014-06-17

▶

Bugzilla

CVE-2014-3005 zabbix: local file inclusion via XXE attack [fedora-all]↗2014-06-17

▶