support.zabbix.com Open in urlscan Pro
2606:4700:20::ac43:4504  Public Scan

URL: https://support.zabbix.com/browse/ZBX-25016
Submission: On December 13 via api from BY — Scanned from US

Form analysis 2 forms found in the DOM

GET /secure/QuickSearch.jspa

<form action="/secure/QuickSearch.jspa" method="get" id="quicksearch" class="aui-quicksearch dont-default-focus ajs-dirty-warning-exempt">
  <input id="quickSearchInput" aria-live="polite" role="searchbox" autocomplete="off" class="search" type="text" title="Search ( Type '/' )" placeholder="Search" name="searchString" accesskey="q">
  <div class="quick-search-spinner"></div>
  <input type="submit" class="hidden" value="Search">
</form>

<form id="jira_request_timing_info" class="dont-default-focus">
  <fieldset class="parameters hidden">
    <input type="hidden" title="jira.request.start.millis" value="1734051643933">
    <input type="hidden" title="jira.request.server.time" value="209">
    <input type="hidden" title="jira.request.id" value="180x20534861x1">
    <input type="hidden" title="jira.session.expiry.time" value="-">
    <input type="hidden" title="jira.session.expiry.in.mins" value="-">
    <input id="jiraConcurrentRequests" type="hidden" name="jira.request.concurrent.requests" value="1">
    <input type="hidden" title="db.reads.time.in.ms" value="12">
    <input type="hidden" title="db.conns.time.in.ms" value="20">
  </fieldset>
</form>

Text Content

Log inSkip to main contentSkip to sidebar
Linked Applications
Something went wrong, please try again.
 * Dashboards
   
 * Projects
   
 * Issues
   
   

 * 
 * Help
    * Jira Core help
    * Keyboard Shortcuts
    * About Jira
    * Jira Credits

 * Log In
   

ZABBIX BUGS AND ISSUES


 * Issues
 * Reports
 * Components


 1. ZABBIX BUGS AND ISSUES
 2. ZBX-25016


REMOTE CODE EXECUTION WITHIN PING SCRIPT (CVE-2024-22116)


Log In

Closed


Export

null
XMLWordPrintable


DETAILS

 * Type: Defect (Security)
 * Resolution: Fixed
 * Priority: Critical
 * Fix Version/s: 6.4.16rc1, 7.0.0rc3
 * Affects Version/s: 6.4.15, 7.0.0rc2
 * Component/s: Server (S)
 * Labels:
   None


DESCRIPTION

Mitre ID CVE-2024-22116 CVSS score 9.9 CVSS vector
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity Critical Summary Remote code execution within ping script Description
An administrator with restricted permissions can exploit the script execution
functionality within the Monitoring Hosts section. The lack of default escaping
for script parameters enabled this user ability to execute arbitrary code via
the Ping script, thereby compromising infrastructure. Common Weakness
Enumeration (CWE) CWE-94 Improper Control of Generation of Code ('Code
Injection') Common Attack Pattern Enumeration and Classification (CAPEC)
CAPEC-253 Remote Code Inclusion Known attack vectors Compromise of the
monitoring environment Details   Patch provided  No Component/s Server Affected
and fixed version/s 6.4.9 - 6.4.15 / 6.4.16rc1
7.0.0alpha1 - 7.0.0rc2 / 7.0.0rc3 Fix compatibility tests - Resolution Fixed
Workarounds - Acknowledgements Zabbix wants to thank justonezero and Qusai
Alhaddad (qusaialhaddad) who submitted this report in HackerOne bug bounty
platform


ATTACHMENTS




ACTIVITY


[ZBX-25016] REMOTE CODE EXECUTION WITHIN PING SCRIPT (CVE-2024-22116)

 * All
 * Comments
 * Work Log
 * History
 * Activity


There are no comments yet on this issue.


PEOPLE

Assignee: Zabbix Support Team Reporter: Maris Melnikovs (Inactive)
Votes: 0 Vote for this issue Watchers: 2 Start watching this issue


DATES

Created: 2024 Aug 09 16:35 Updated: 2024 Aug 27 12:06 Resolved: 2024 Aug 09
16:35

 * Atlassian Jira Project Management Software
 * About Jira
 * Report a problem

Powered by a free Atlassian Jira open source license for SIA Zabbix. Try Jira -
bug tracking software for your team.

Atlassian





»