Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-25016

Remote code execution within ping script (CVE-2024-22116)

XMLWordPrintable

    • Icon: Defect (Security) Defect (Security)
    • Resolution: Fixed
    • Icon: Critical Critical
    • 6.4.16rc1, 7.0.0rc3
    • 6.4.15, 7.0.0rc2
    • Server (S)
    • None

      Mitre ID CVE-2024-22116
      CVSS score 9.9
      CVSS vector https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
      Severity Critical
      Summary Remote code execution within ping script
      Description An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.
      Common Weakness Enumeration (CWE) CWE-94 Improper Control of Generation of Code ('Code Injection')
      Common Attack Pattern Enumeration and Classification (CAPEC) CAPEC-253 Remote Code Inclusion
      Known attack vectors Compromise of the monitoring environment
      Details  
      Patch provided  No
      Component/s Server
      Affected and fixed version/s 6.4.9 - 6.4.15 / 6.4.16rc1
      7.0.0alpha1 - 7.0.0rc2 / 7.0.0rc3
      Fix compatibility tests -
      Resolution Fixed
      Workarounds -
      Acknowledgements Zabbix wants to thank justonezero and Qusai Alhaddad (qusaialhaddad) who submitted this report in HackerOne bug bounty platform

            zabbix.support Zabbix Support Team
            mmelnikovs Maris Melnikovs (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: