-
Defect (Security)
-
Resolution: Fixed
-
Minor
-
None
-
None
-
None
| Mitre ID | CVE-2023-32728 |
| CVSS score | 4.6 |
| CVSS vector | https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L |
| Severity | Medium |
| Summary | Code injection in Zabbix Agent 2 smart.disk.get caused by smartctl plugin |
| Description | The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution. |
| Common Weakness Enumeration (CWE) | CWE-20 Improper Input Validation |
| Common Attack Pattern Enumeration and Classification (CAPEC) | CAPEC-253 Remote Code Inclusion |
| Known attack vectors | An attacker can execute arbitrary code on any device having an Zabbix Agent2 listening and having smartctl installed. |
| Patch provided | No |
| Component/s | Agent 2 |
| Affected version/s and fix version/s | 5.0.0 - 5.0.38 / 5.0.39rc1 6.0.0 - 6.0.23 / 6.0.24rc1 6.4.0 - 6.4.8 / 6.4.9rc1 7.0.0alpha1 - 7.0.0alpha7 / 7.0.0alpha8 |
| Fix compatibility tests | - |
| Resolution | Fixed |
| Workarounds | - |
| Acknowledgements | This vulnerability is reported in HackerOne bounty hunter platform by Philippe Antoine (catenacyber) |