CVE-2023-32727 — Improper Input Validation in Zabbix

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.2HIGHNVD

CNA6.8

EPSS

0.5%

top 35.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Zabbix Server

Timeline

PublishedDec 18

Latest updateDec 22

Description

An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶NVDzabbix/zabbix_server4.0.0 — 4.0.49+4

▶Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix4.0.0 — 4.0.49+4

🔴Vulnerability Details

GHSA

GHSA-8h32-vcmm-pcx8: An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitra↗2023-12-22

▶

CVEList

Code execution vulnerability in icmpping↗2023-12-18

▶

OSV

CVE-2023-32727: An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitra↗2023-12-18

▶

📋Vendor Advisories

Debian

CVE-2023-32727: zabbix - An attacker who has the privilege to configure Zabbix items can use function icm...↗2023

▶