CVE-2014-3005

NameCVE-2014-3005
DescriptionXML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs751910

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)jessie (security), jessie1:2.2.7+dfsg-2+deb8u3fixed
stretch1:3.0.7+dfsg-3fixed
buster1:4.0.3+dfsg-1fixed
sid1:4.0.3+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsource(unstable)1:2.2.5+dfsg-1high751910
zabbixsourcesqueeze(unfixed)end-of-life

Notes

[squeeze] - zabbix <end-of-life> (Unsupported in squeeze-lts)
http://seclists.org/fulldisclosure/2014/Jun/87
Upstream issue tracking https://support.zabbix.com/browse/ZBX-8151

Search for package or bug name: Reporting problems