Lucene search

ZabbixVULNRICHMENT:CVE-2024-22116

HistoryAug 09, 2024 - 10:16 a.m.

CVE-2024-22116 Remote code execution within ping script

2024-08-0910:16:34

CWE-94

Zabbix

github.com

cve-2024-22116

ping script

remote code execution

monitoring hosts

script parameters

arbitrary code

infrastructure

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

7.9

Confidence

Low

EPSS

Percentile

9.5%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*"
    ],
    "vendor": "zabbix",
    "product": "zabbix",
    "versions": [
      {
        "status": "affected",
        "version": "6.4.0",
        "versionType": "custom",
        "lessThanOrEqual": "6.4.15"
      },
      {
        "status": "affected",
        "version": "7.0.0alpha1",
        "versionType": "custom",
        "lessThanOrEqual": "7.0.0rc2"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

support.zabbix.com/browse/ZBX-25016

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

7.9

Confidence

Low

EPSS

Percentile

9.5%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-22116