From d4951ceb2a63e3534afad80ed3f52b8a288a1ba2 Mon Sep 17 00:00:00 2001 From: dbaio Date: Wed, 16 Aug 2017 15:15:33 +0000 Subject: security/vuxml: Document Zabbix vulnerability Security: CVE-2017-2824 --- security/vuxml/vuln.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 9c8288283601..2f4024fbdb8f 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,52 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + Zabbix -- Remote code execution + + + zabbix2-server + zabbix2-proxy + 2.0.20 + + + zabbix22-server + zabbix22-proxy + 2.2.19 + + + zabbix3-server + zabbix3-proxy + 3.0.10 + + + zabbix32-server + zabbix32-proxy + 3.2.7 + + + + +

mitre reports:

+
An exploitable code execution vulnerability exists in the trapper command + functionality of Zabbix Server 2.4.X. A specially crafted set of packets + can cause a command injection resulting in remote code execution. An attacker + can make requests from an active Zabbix Proxy to trigger this vulnerability.
+

+ + + + CVE-2017-2824 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2824 + https://support.zabbix.com/browse/ZBX-12349 + + + 2017-07-05 + 2017-08-16 + + + Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests -- cgit