CVE-2024-22122 — Command Injection in Zabbix

CWE-77 — Command Injection4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.4%

top 36.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix

Timeline

PublishedAug 12

Description

Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages4 packages

▶debiandebian/zabbix< zabbix 1:5.0.44+dfsg-1+deb11u1 (bullseye)

▶Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix7.0.0alpha1 — 7.0.0rc2

▶NVDzabbix/zabbix5.0.0 — 5.0.42+3

🔴Vulnerability Details

GHSA

GHSA-m34r-jrv8-mwmv: Zabbix allows to configure SMS notifications↗2024-08-12

▶

OSV

CVE-2024-22122: Zabbix allows to configure SMS notifications↗2024-08-12

▶

📋Vendor Advisories

Debian

CVE-2024-22122: zabbix - Zabbix allows to configure SMS notifications. AT command injection occurs on "Za...↗2024

▶