CVE-2024-22116

Published: Aug 12, 2024Modified: Jun 17, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.

Affected (15)

Products: Zabbix: Zabbix

Zabbix

1 product

Zabbix

Configuration A

15 vulnerable

Vulnerable Software	Affected Versions
Zabbix Zabbix	From 6.4.9 to 6.4.15
Zabbix Zabbix	Version 7.0.0 alpha1
Zabbix Zabbix	Version 7.0.0 alpha2
Zabbix Zabbix	Version 7.0.0 alpha3
Zabbix Zabbix	Version 7.0.0 alpha4
Zabbix Zabbix	Version 7.0.0 alpha5
Zabbix Zabbix	Version 7.0.0 alpha6
Zabbix Zabbix	Version 7.0.0 alpha7
Zabbix Zabbix	Version 7.0.0 alpha8
Zabbix Zabbix	Version 7.0.0 alpha9
Zabbix Zabbix	Version 7.0.0 beta1
Zabbix Zabbix	Version 7.0.0 beta2
Zabbix Zabbix	Version 7.0.0 beta3
Zabbix Zabbix	Version 7.0.0 rc1
Zabbix Zabbix	Version 7.0.0 rc2

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://support.zabbix.com/browse/ZBX-25016

Source: security@zabbix.com

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.