Lucene search

Alpine Linux Development TeamALPINE:CVE-2024-22122

HistoryAug 12, 2024 - 1:38 p.m.

CVE-2024-22122

2024-08-1213:38:16

Alpine Linux Development Team

security.alpinelinux.org

zabbix

sms notifications

at command injection

validation

web

server

modem

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

AI Score

8.2

Confidence

Low

EPSS

Percentile

9.5%

JSON

Zabbix allows to configure SMS notifications. AT command injection occurs on “Zabbix Server” because there is no validation of “Number” field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.

OSVersionArchitecturePackageVersionFilename
Alpine3.20-communitynoarchzabbix= 6.4.15-r2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	3.20-community	noarch	zabbix	= 6.4.15-r2	UNKNOWN

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

AI Score

8.2

Confidence

Low

EPSS

Percentile

9.5%

JSON

Related for ALPINE:CVE-2024-22122