CVE-2024-22122

2024-08-1200:00:00

ubuntu.com

zabbix

command injection

sms

validation

at commands

modem

unix

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

AI Score

8.2

Confidence

Low

JSON

Zabbix allows to configure SMS notifications. AT command injection occurs
on “Zabbix Server” because there is no validation of “Number” field on Web
nor on Zabbix server side. Attacker can run test of SMS providing specially
crafted phone number and execute additional AT commands on modem.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchzabbix< anyUNKNOWN
ubuntu20.04noarchzabbix< anyUNKNOWN
ubuntu22.04noarchzabbix< anyUNKNOWN
ubuntu14.04noarchzabbix< anyUNKNOWN
ubuntu16.04noarchzabbix< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	zabbix	< any	UNKNOWN
ubuntu	20.04	noarch	zabbix	< any	UNKNOWN
ubuntu	22.04	noarch	zabbix	< any	UNKNOWN
ubuntu	14.04	noarch	zabbix	< any	UNKNOWN
ubuntu	16.04	noarch	zabbix	< any	UNKNOWN