CVE-2016-4338

🗓️ 23 Jan 2017 21:00:00Reported by mitreType

cve

cve🔗 web.nvd.nist.gov👁 86 Views🌐 WEB

Zabbix agent userparameter_mysql.conf script allows arbitrary code execution via mysql.size paramete

Reporter	Title	Published	Views	Family All 23
0day.today	Zabbix Agent 3.0.1 - mysql.size Shell Command Injection	4 May 201600:00	–	zdt
CNVD	Zabbix SIA Zabbix Agent Remote Command Execution Vulnerability	7 May 201600:00	–	cnvd
Cvelist	CVE-2016-4338	23 Jan 201721:00	–	cvelist
Debian CVE	CVE-2016-4338	23 Jan 201721:00	–	debiancve
Exploit DB	Zabbix Agent 3.0.1 - 'mysql.size' Shell Command Injection	4 May 201600:00	–	exploitdb
exploitpack	Zabbix Agent 3.0.1 - mysql.size Shell Command Injection	4 May 201600:00	–	exploitpack
Tenable Nessus	GLSA-201612-42 : Zabbix: Multiple vulnerabilities	14 Dec 201600:00	–	nessus
Tenable Nessus	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : Zabbix vulnerabilities (USN-4767-1)	21 Oct 202300:00	–	nessus
Tenable Nessus	Zabbix < 2.0.18 / 2.2.13 / 3.0.3 'mysql.size' Parameter Command Injection	27 May 201600:00	–	nessus
Gentoo Linux	Zabbix: Multiple vulnerabilities	13 Dec 201600:00	–	gentoo

NVD

Node

zabbix zabbixMatch2.0.0

OR

zabbix zabbixMatch2.0.1

OR

zabbix zabbixMatch2.0.2

OR

zabbix zabbixMatch2.0.3

OR

zabbix zabbixMatch2.0.4

OR

zabbix zabbixMatch2.0.5

OR

zabbix zabbixMatch2.0.6

OR

zabbix zabbixMatch2.0.7

OR

zabbix zabbixMatch2.0.8

OR

zabbix zabbixMatch2.0.9

OR

zabbix zabbixMatch2.0.10

OR

zabbix zabbixMatch2.0.11

OR

zabbix zabbixMatch2.0.12

OR

zabbix zabbixMatch2.0.13

OR

zabbix zabbixMatch2.0.14

OR

zabbix zabbixMatch2.0.15

OR

zabbix zabbixMatch2.0.16

OR

zabbix zabbixMatch2.0.17

OR

zabbix zabbixMatch2.2.0-

OR

zabbix zabbixMatch2.2.1-

OR

zabbix zabbixMatch2.2.2-

OR

zabbix zabbixMatch2.2.3-

OR

zabbix zabbixMatch2.2.4

OR

zabbix zabbixMatch2.2.5

OR

zabbix zabbixMatch2.2.6

OR

zabbix zabbixMatch2.2.7

OR

zabbix zabbixMatch2.2.8

OR

zabbix zabbixMatch2.2.9

OR

zabbix zabbixMatch2.2.10

OR

zabbix zabbixMatch2.2.11

OR

zabbix zabbixMatch2.2.12

OR

zabbix zabbixMatch3.0.0

OR

zabbix zabbixMatch3.0.2

Source	Link
zabbix	www.zabbix.com/documentation/2.0/manual/introduction/whatsnew2018
securityfocus	www.securityfocus.com/bid/89631
securityfocus	www.securityfocus.com/archive/1/538258/100/0/threaded
support	www.support.zabbix.com/browse/ZBX-10741
packetstormsecurity	www.packetstormsecurity.com/files/136898/Zabbix-Agent-3.0.1-mysql.size-Shell-Command-Injection.html
zabbix	www.zabbix.com/documentation/2.2/manual/introduction/whatsnew2213
security	www.security.gentoo.org/glsa/201612-42
exploit-db	www.exploit-db.com/exploits/39769/
zabbix	www.zabbix.com/documentation/3.0/manual/introduction/whatsnew303
seclists	www.seclists.org/fulldisclosure/2016/May/9

Parameter	Position	Path	Description	CWE
third parameter	binary	tcp://localhost:10050	Shell command injection via mysql.size user parameter when /bin/sh is not bash, allowing arbitrary commands/SQL execution from the Zabbix agent TCP interface.	CWE-89

13 May 2026 00:24Current

8.3High risk

Vulners AI Score8.3

CVSS 26.8

CVSS 38.1

EPSS0.4496

zabbix agent userparameter mysql configuration cve-2016-4338 security vulnerability nvd