CVE-2024-22123

Published: Aug 12, 2024Modified: Jun 17, 2026

2.7

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Exploitability: 1.2 / Impact: 1.4

Source: NVD

Description

Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. As a result, log file will be broken with AT commands and small part for log file content will be leaked to UI.

Affected (17)

Products: Zabbix: Zabbix

Zabbix

1 product

Zabbix

Configuration A

17 vulnerable

Vulnerable Software	Affected Versions
Zabbix Zabbix	From 5.0.0 to 5.0.42
Zabbix Zabbix	From 6.0.0 to 6.0.30
Zabbix Zabbix	From 6.4.0 to 6.4.15
Zabbix Zabbix	Version 7.0.0 alpha1
Zabbix Zabbix	Version 7.0.0 alpha2
Zabbix Zabbix	Version 7.0.0 alpha3
Zabbix Zabbix	Version 7.0.0 alpha4
Zabbix Zabbix	Version 7.0.0 alpha5
Zabbix Zabbix	Version 7.0.0 alpha6
Zabbix Zabbix	Version 7.0.0 alpha7
Zabbix Zabbix	Version 7.0.0 alpha8
Zabbix Zabbix	Version 7.0.0 alpha9
Zabbix Zabbix	Version 7.0.0 beta1
Zabbix Zabbix	Version 7.0.0 beta2
Zabbix Zabbix	Version 7.0.0 beta3
Zabbix Zabbix	Version 7.0.0 rc1
Zabbix Zabbix	Version 7.0.0 rc2

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://support.zabbix.com/browse/ZBX-25013

Source: security@zabbix.com

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.