CVE-2023-32728 — Improper Input Validation in Zabbix

CWE-20 — Improper Input Validation CWE-94 — Code Injection5 documents5 sources

Severity

9.8CRITICALNVD

CNA4.6

EPSS

0.5%

top 32.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix Zabbix Zabbix-agent2

Timeline

PublishedDec 18

Latest updateDec 22

Description

The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDzabbix/zabbix-agent25.0.0 — 5.0.38+3

▶debiandebian/zabbix< zabbix 1:6.0.24+dfsg-1 (forky)

▶Debianzabbix/zabbix< 1:6.0.24+dfsg-1+1

▶CVEListV5zabbix/zabbix5,0,0 — 5.0.38+3

🔴Vulnerability Details

GHSA

GHSA-c26q-v9gv-jx6m: The Zabbix Agent 2 item key smart↗2023-12-22

▶

OSV

CVE-2023-32728: The Zabbix Agent 2 item key smart↗2023-12-18

▶

CVEList

Code injection in zabbix_agent2 smart.disk.get caused by smartctl plugin↗2023-12-18

▶

📋Vendor Advisories

Debian

CVE-2023-32728: zabbix - The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters befo...↗2023

▶