CVE-2024-22120

CVE-2024-22120

Name

CVE-2024-22120

Description

Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security@zabbix.com	https://support.zabbix.com/browse/ZBX-24505

Type

URI

security@zabbix.com

https://support.zabbix.com/browse/ZBX-24505

Match rules

CPE URI	Source package	Min version	Max version
`None`	zabbix	>= 6.0.0	<= 6.0.27
`None`	zabbix	>= 6.4.0	<= 6.4.12
	zabbix	>= 7.0.0alpha1	<= 7.0.0beta1
`cpe:2.3:a:zabbix:zabbix::::::::`	zabbix	>= 6.0.0	< 6.0.28
`cpe:2.3:a:zabbix:zabbix::::::::`	zabbix	>= 6.4.0	< 6.4.13
`cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1::::::`	zabbix	== None	== 7.0.0

CPE URI

Source package

Min version

Max version

None

zabbix

>= 6.0.0

<= 6.0.27

None

zabbix

>= 6.4.0

<= 6.4.12

zabbix

>= 7.0.0alpha1

<= 7.0.0beta1

cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*

zabbix

>= 6.0.0

< 6.0.28

cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*

zabbix

>= 6.4.0

< 6.4.13

cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1:*:*:*:*:*:*

zabbix

== None

== 7.0.0

Source package	Branch	Version	Maintainer	Status
zabbix	3.19-community	6.4.14-r0	Kevin Daudt <kdaudt@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

zabbix

3.19-community

6.4.14-r0

Kevin Daudt <kdaudt@alpinelinux.org>

fixed

References

Match rules

Vulnerable and fixed packages