[ZBX-15867] Security vulnerability when processing discovery contents from proxy Created: 2019 Feb 20 Updated: 2024 Apr 10 Resolved: 2019 Mar 26 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Server (S) |
| Affects Version/s: | 3.0.25, 4.0.6rc1 |
| Fix Version/s: | 3.0.26rc1, 4.0.6rc1, 4.2.0beta2, 4.2 (plan) |
| Type: | Problem report | Priority: | Critical |
| Reporter: | Vladislavs Sokurenko | Assignee: | Vladislavs Sokurenko |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
echo.png
traceroute.png
|
||||||||
| Issue Links: |
|
||||||||
| Team: |  Team A |
||||||||
| Sprint: | Sprint 49 (Feb 2019) | ||||||||
| Story Points: | 0.25 | ||||||||
| Description |
|
It's possible to send specific network discovery contents to Zabbix server and make it to accept invalid DNS, resulting in such host being discovered: Later if there are scripts that call HOST.DNS, for example script:
/usr/bin/traceroute {HOST.DNS}
It can open in something unexpected: |
| Comments |
| Comment by Vladislavs Sokurenko [ 2019 Feb 28 ] |
|
Fixed in:
|
