CVE-2024-22116 — Code Injection in Zabbix

CWE-94 — Code Injection4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.5%

top 34.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix

Timeline

PublishedAug 12

Description

An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/zabbix< zabbix 1:5.0.44+dfsg-1+deb11u1 (bullseye)

▶Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix7.0.0alpha1 — 7.0.0rc2

▶NVDzabbix/zabbix6.4.9 — 6.4.15+1

🔴Vulnerability Details

GHSA

GHSA-3wch-5xm2-547f: An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section↗2024-08-12

▶

OSV

CVE-2024-22116: An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section↗2024-08-12

▶

📋Vendor Advisories

Debian

CVE-2024-22116: zabbix - An administrator with restricted permissions can exploit the script execution fu...↗2024

▶