CVE-2024-22122

2024-08-1213:38:16

Debian Security Bug Tracker

security-tracker.debian.org

zabbix

sms

notification

at command

injection

unix

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

AI Score

Confidence

Low

EPSS

Percentile

9.5%

JSON

Zabbix allows to configure SMS notifications. AT command injection occurs on “Zabbix Server” because there is no validation of “Number” field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.

OSVersionArchitecturePackageVersionFilename
Debian12allzabbix<= 1:6.0.14+dfsg-1zabbix_1:6.0.14+dfsg-1_all.deb
Debian11allzabbix<= 1:5.0.8+dfsg-1zabbix_1:5.0.8+dfsg-1_all.deb
Debian999allzabbix< 1:7.0.0+dfsg-1zabbix_1:7.0.0+dfsg-1_all.deb
Debian13allzabbix< 1:7.0.0+dfsg-1zabbix_1:7.0.0+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	zabbix	<= 1:6.0.14+dfsg-1	zabbix_1:6.0.14+dfsg-1_all.deb
Debian	11	all	zabbix	<= 1:5.0.8+dfsg-1	zabbix_1:5.0.8+dfsg-1_all.deb
Debian	999	all	zabbix	< 1:7.0.0+dfsg-1	zabbix_1:7.0.0+dfsg-1_all.deb
Debian	13	all	zabbix	< 1:7.0.0+dfsg-1	zabbix_1:7.0.0+dfsg-1_all.deb