support.zabbix.com
Open in
urlscan Pro
2606:4700:20::ac43:4504
Public Scan
URL:
https://support.zabbix.com/browse/ZBX-25016
Submission: On December 13 via api from BY — Scanned from US
Submission: On December 13 via api from BY — Scanned from US
Form analysis
2 forms found in the DOMGET /secure/QuickSearch.jspa
<form action="/secure/QuickSearch.jspa" method="get" id="quicksearch" class="aui-quicksearch dont-default-focus ajs-dirty-warning-exempt">
<input id="quickSearchInput" aria-live="polite" role="searchbox" autocomplete="off" class="search" type="text" title="Search ( Type '/' )" placeholder="Search" name="searchString" accesskey="q">
<div class="quick-search-spinner"></div>
<input type="submit" class="hidden" value="Search">
</form>
<form id="jira_request_timing_info" class="dont-default-focus">
<fieldset class="parameters hidden">
<input type="hidden" title="jira.request.start.millis" value="1734051643933">
<input type="hidden" title="jira.request.server.time" value="209">
<input type="hidden" title="jira.request.id" value="180x20534861x1">
<input type="hidden" title="jira.session.expiry.time" value="-">
<input type="hidden" title="jira.session.expiry.in.mins" value="-">
<input id="jiraConcurrentRequests" type="hidden" name="jira.request.concurrent.requests" value="1">
<input type="hidden" title="db.reads.time.in.ms" value="12">
<input type="hidden" title="db.conns.time.in.ms" value="20">
</fieldset>
</form>
Text Content
Log inSkip to main contentSkip to sidebar Linked Applications Something went wrong, please try again. * Dashboards * Projects * Issues * * Help * Jira Core help * Keyboard Shortcuts * About Jira * Jira Credits * Log In ZABBIX BUGS AND ISSUES * Issues * Reports * Components 1. ZABBIX BUGS AND ISSUES 2. ZBX-25016 REMOTE CODE EXECUTION WITHIN PING SCRIPT (CVE-2024-22116) Log In Closed Export null XMLWordPrintable DETAILS * Type: Defect (Security) * Resolution: Fixed * Priority: Critical * Fix Version/s: 6.4.16rc1, 7.0.0rc3 * Affects Version/s: 6.4.15, 7.0.0rc2 * Component/s: Server (S) * Labels: None DESCRIPTION Mitre ID CVE-2024-22116 CVSS score 9.9 CVSS vector https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Severity Critical Summary Remote code execution within ping script Description An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure. Common Weakness Enumeration (CWE) CWE-94 Improper Control of Generation of Code ('Code Injection') Common Attack Pattern Enumeration and Classification (CAPEC) CAPEC-253 Remote Code Inclusion Known attack vectors Compromise of the monitoring environment Details Patch provided No Component/s Server Affected and fixed version/s 6.4.9 - 6.4.15 / 6.4.16rc1 7.0.0alpha1 - 7.0.0rc2 / 7.0.0rc3 Fix compatibility tests - Resolution Fixed Workarounds - Acknowledgements Zabbix wants to thank justonezero and Qusai Alhaddad (qusaialhaddad) who submitted this report in HackerOne bug bounty platform ATTACHMENTS ACTIVITY [ZBX-25016] REMOTE CODE EXECUTION WITHIN PING SCRIPT (CVE-2024-22116) * All * Comments * Work Log * History * Activity There are no comments yet on this issue. PEOPLE Assignee: Zabbix Support Team Reporter: Maris Melnikovs (Inactive) Votes: 0 Vote for this issue Watchers: 2 Start watching this issue DATES Created: 2024 Aug 09 16:35 Updated: 2024 Aug 27 12:06 Resolved: 2024 Aug 09 16:35 * Atlassian Jira Project Management Software * About Jira * Report a problem Powered by a free Atlassian Jira open source license for SIA Zabbix. Try Jira - bug tracking software for your team. Atlassian »