Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-23857

icmpping() code execution vulnerability (CVE-2023-32727)

XMLWordPrintable

    • Icon: Defect (Security) Defect (Security)
    • Resolution: Fixed
    • Icon: Minor Minor
    • None
    • None
    • Server (S)
    • None

      Mitre ID CVE-2023-32727
      CVSS score 6.8
      CVSS vector https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
      Severity Medium
      Summary icmpping() code execution vulnerability
      Description An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.
      Common Weakness Enumeration (CWE) CWE-20 Improper Input Validation
      Common Attack Pattern Enumeration and Classification (CAPEC) CAPEC-248 Command Injection
      Known attack vectors Current vulnerability can cause command injection
      Patch provided  No
      Component/s Server
      Affected version/s and fix version/s 4.0.0 - 4.0.49 / 4.0.50
      5.0.0 - 5.0.38 / 5.0.39
      6.0.0 - 6.0.22 / 6.0.23rc1
      6.4.0 - 6.4.7 / 6.4.8rc1
      7.0.0alpha0 - 7.0.0alpha6 / 7.0.0alpha7
      Fix compatibility tests -
      Resolution Fixed
      Workarounds -
      Acknowledgements This vulnerability is reported in HackerOne bounty hunter platform by Philippe Antoine (catenacyber)

            zabbix.support Zabbix Support Team
            mmelnikovs Maris Melnikovs
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: