Описание
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| zabbix | fixed | 1:6.0.29+dfsg-1 | package | |
| zabbix | not-affected | bullseye | package | |
| zabbix | not-affected | buster | package |
Примечания
https://support.zabbix.com/browse/ZBX-24505
Fixed by: https://github.com/zabbix/zabbix/commit/9013ff74985e40aee6b58e2ed67675b87cab0879 (7.0.0beta2)
Fixed by: https://github.com/zabbix/zabbix/commit/c8ac414ff44127c3e8781eb029f519c060f623fa (6.0.28rc1)
introduced by https://github.com/zabbix/zabbix/commit/6c276d866d3f96689609d70c5893cfff8cac7cd6 (first seen in 6.0.0alpha1)
EPSS
Связанные уязвимости
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Уязвимость сервера универсальной системы мониторинга Zabbix Workstation, связанная с ошибками при обработке входных данных, позволяющая нарушителю выполнить произвольный код
EPSS