CVE-2022-22704 — Missing Initialization of Resource in Zabbix-agent2

CWE-909 — Missing Initialization of Resource CWE-269 — Improper Privilege Management2 documents2 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 38.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Zabbix-agent2

Timeline

PublishedJan 6

Latest updateJan 7

Description

The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDzabbix/zabbix-agent2< 5.4.9+1

🔴Vulnerability Details

GHSA

GHSA-rgf9-28hg-x4c8: The zabbix-agent2 package before 5↗2022-01-07

▶