CVE-2021-46088

NameCVE-2021-46088
DescriptionZabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context of the application user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)stretch1:3.0.7+dfsg-3undetermined
stretch (security)1:3.0.32+dfsg-0+deb9u3undetermined
buster1:4.0.4+dfsg-1undetermined
bullseye1:5.0.8+dfsg-1undetermined
bookworm, sid1:5.0.17+dfsg-1undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsource(unstable)undetermined

Notes

closed upstream as a "feature", then changed in 5.4 to make the attack less likely
https://github.com/paalbra/zabbix-zbxsec-7
https://www.zabbix.com/documentation/3.0/en/manual/config/notifications/action/operation/remote_command
https://www.zabbix.com/documentation/current/en/manual/config/notifications/action/operation/remote_command#access-permissions

Search for package or bug name: Reporting problems