ALT-PU-2024-1497-1

Severity:

Closed issues (5)

BDU:2024-00033

HIGH7.2

Уязвимость функции icmpping универсальной системы мониторинга Zabbix, позволяющая нарушителю выполнить произвольный код

Published: 2024-01-05Modified: 2024-11-11

CVSS 3.xHIGH 7.2

CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 8.3

CVSS:2.0/AV:N/AC:L/Au:M/C:C/I:C/A:C

References

CVE-2023-32727

BDU:2024-00645

HIGH8.1

Уязвимость компонента DNS Response Handler агента универсальной системы мониторинга Zabbix, позволяющая нарушителю вызвать переполнение буфера

Published: 2024-01-24Modified: 2024-11-11

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2023-32726

CVE-2023-32726

HIGH8.1

The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.

Published: 2023-12-18Modified: 2025-11-03

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2023-32727

HIGH7.2

An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.

Published: 2023-12-18Modified: 2025-11-03

CVSS 3.xHIGH 7.2

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

CVE-2023-32728

CRITICAL9.8

The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.

Published: 2023-12-18Modified: 2024-11-21

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Closed bugs (1)

Bug #49152

Package update zabbix in branch p10_e2k

Closed issues (5)

Уязвимость функции icmpping универсальной системы мониторинга Zabbix, позволяющая нарушителю выполнить произвольный код

Уязвимость компонента DNS Response Handler агента универсальной системы мониторинга Zabbix, позволяющая нарушителю вызвать переполнение буфера

The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.

An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.

The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.

Closed bugs (1)

Несколько неприятных CVE в Zabbix 6.0.22: CVE-2023-32728, CVE-2023-32727, CVE-2023-32726