-
Defect (Security)
-
Resolution: Fixed
-
Critical
-
6.4.15, 7.0.0rc2
-
None
| Mitre ID | CVE-2024-22116 |
| CVSS score | 9.9 |
| CVSS vector | https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Severity | Critical |
| Summary | Remote code execution within ping script |
| Description | An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure. |
| Common Weakness Enumeration (CWE) | CWE-94 Improper Control of Generation of Code ('Code Injection') |
| Common Attack Pattern Enumeration and Classification (CAPEC) | CAPEC-253 Remote Code Inclusion |
| Known attack vectors | Compromise of the monitoring environment |
| Details | |
| Patch provided | No |
| Component/s | Server |
| Affected and fixed version/s | 6.4.9 - 6.4.15 / 6.4.16rc1 7.0.0alpha1 - 7.0.0rc2 / 7.0.0rc3 |
| Fix compatibility tests | - |
| Resolution | Fixed |
| Workarounds | - |
| Acknowledgements | Zabbix wants to thank justonezero and Qusai Alhaddad (qusaialhaddad) who submitted this report in HackerOne bug bounty platform |