-
Defect (Security)
-
Resolution: Fixed
-
Minor
-
5.0.42, 6.0.30, 6.4.15, 7.0.0rc2
-
None
| Mitre ID | CVE-2024-22123 |
| CVSS score | 2.7 |
| CVSS vector | https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
| Severity | Low |
| Summary | Zabbix Arbitrary File Read |
| Description | Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. As a result, log file will be broken with AT commands and small part for log file content will be leaked to UI. |
| Common Weakness Enumeration (CWE) | CWE-94 Improper Control of Generation of Code ('Code Injection') |
| Common Attack Pattern Enumeration and Classification (CAPEC) | CAPEC-253 Remote Code Inclusion |
| Known attack vectors | Impact is very low; it is possible to break Zabbix log file a bit and read small part of Zabbix log (without any control which part). Also, in case of Zabbix server is run from more privileged user, maybe some DOS will be possible. |
| Details | |
| Patch provided | No |
| Component/s | Server |
| Affected and fixed version/s | 5.0.0 - 5.0.42 / 5.0.43rc1 6.0.0 - 6.0.30 / 6.0.31rc1 6.4.0 - 6.4.15 / 6.4.16rc1 7.0.0alpha1 - 7.0.0rc2 / 7.0.0rc3 |
| Fix compatibility tests | - |
| Resolution | Fixed |
| Workarounds | - |
| Acknowledgements | - |