Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.ZABBIX_FRONTEND_2_0_18.NASL
HistoryMay 27, 2016 - 12:00 a.m.

Zabbix < 2.0.18 / 2.2.13 / 3.0.3 'mysql.size' Parameter Command Injection

2016-05-2700:00:00
This script is Copyright (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
22

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

0.021 Low

EPSS

Percentile

89.3%

JSON

According to its self-reported version number, the instance of Zabbix running on the remote host is affected by a command injection vulnerability due to improper sanitization of user-supplied input to the ‘mysql.size’ user parameter. An unauthenticated, remote attacker can exploit this to inject arbitrary shell commands.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(91349);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2016-4338");
  script_bugtraq_id(89631);
  script_xref(name:"EDB-ID", value:"39769");
  script_xref(name:"IAVB", value:"2016-B-0095-S");

  script_name(english:"Zabbix < 2.0.18 / 2.2.13 / 3.0.3 'mysql.size' Parameter Command Injection");

  script_set_attribute(attribute:"synopsis", value:
"The remote web application is affected by a command injection
vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the instance of Zabbix
running on the remote host is affected by a command injection
vulnerability due to improper sanitization of user-supplied input to
the 'mysql.size' user parameter. An unauthenticated, remote attacker
can exploit this to inject arbitrary shell commands.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://support.zabbix.com/browse/ZBX-10741");
  script_set_attribute(attribute:"see_also", value:"https://www.zabbix.com/rn/rn2.0.18");
  script_set_attribute(attribute:"see_also", value:"https://www.zabbix.com/rn/rn2.2.13");
  script_set_attribute(attribute:"see_also", value:"https://www.zabbix.com/rn/rn3.0.3");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Zabbix version 2.0.18 / 2.2.13 / 3.0.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4338");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/05/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/27");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:zabbix:zabbix");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("zabbix_frontend_detect.nasl");
  script_require_keys("installed_sw/zabbix", "Settings/ParanoidReport");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "zabbix";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port,
  exit_if_unknown_ver : TRUE
);

dir = install['path'];
ver = install['version'];
install_url = build_url(port:port, qs:dir);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

fix = NULL;

if (ver =~ "^2\.0\.(([0-9]|1[0-7])(rc[0-9]+)?($|[^0-9]))")
  fix = "2.0.18";

else if (ver =~ "2\.2\.(([0-9]|1[0-2])(rc[0-9]+)?($|[^0-9]))")
  fix = "2.2.13";

else if (ver =~ "3\.0\.([0-2](rc[0-9]+)?($|[^0-9]))")
  fix = "3.0.3";

if (!isnull(fix))
{
  report =
    '\n  URL               : ' + install_url +
    '\n  Installed version : ' + ver +
    '\n  Fixed version     : ' + fix +
    '\n';

  security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
  exit(0);
}
else
  audit(AUDIT_WEB_APP_NOT_AFFECTED, "Zabbix", install_url, ver);
VendorProductVersionCPE
zabbixzabbixcpe:/a:zabbix:zabbix

Related

nvd 1
packetstorm 1
openvas 2
seebug 1
ubuntucve 1
exploitpack 1
cvelist 1
debiancve 1
zdt 1
cve 1
prion 1
exploitdb 1
gentoo 1
nessus 2
osv 1
ubuntu 1
nvd
nvd
CVE-2016-4338
2017-01-23 21:59:01
packetstorm
packetstorm
Zabbix Agent 3.0.1 mysql.size Shell Command Injection
2016-05-03 00:00:00
openvas
openvas
Zabbix Arbitrary Code Execution Vulnerability (CVE-2016-4338)
2017-01-26 00:00:00
Ubuntu: Security Advisory (USN-4767-1)
2023-01-27 00:00:00
seebug
seebug
Zabbix Agent 3.0.1 mysql. size shell command injection
2016-08-08 00:00:00
ubuntucve
ubuntucve
CVE-2016-4338
2017-01-23 00:00:00
exploitpack
exploitpack
Zabbix Agent 3.0.1 - mysql.size Shell Command Injection
2016-05-04 00:00:00
cvelist
cvelist
CVE-2016-4338
2017-01-23 21:00:00
debiancve
debiancve
CVE-2016-4338
2017-01-23 21:59:01
zdt
zdt
Zabbix Agent 3.0.1 - mysql.size Shell Command Injection
2016-05-04 00:00:00
cve
cve
CVE-2016-4338
2017-01-23 21:59:01
prion
prion
Sql injection
2017-01-23 21:59:00
exploitdb
exploitdb
Zabbix Agent 3.0.1 - &#039;mysql.size&#039; Shell Command Injection
2016-05-04 00:00:00
gentoo
gentoo
Zabbix: Multiple vulnerabilities
2016-12-13 00:00:00
nessus
nessus
GLSA-201612-42 : Zabbix: Multiple vulnerabilities
2016-12-14 00:00:00
Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : Zabbix vulnerabilities (USN-4767-1)
2023-10-21 00:00:00
osv
osv
zabbix vulnerabilities
2022-06-15 08:28:18
ubuntu
ubuntu
Zabbix vulnerabilities
2022-06-15 00:00:00

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

0.021 Low

EPSS

Percentile

89.3%

JSON
Related for ZABBIX_FRONTEND_2_0_18.NASL
nvd1packetstorm1openvas2seebug1ubuntucve1exploitpack1cvelist1debiancve1zdt1cve1prion1exploitdb1gentoo1nessus2osv1ubuntu1