| Name | CVE-2024-22120 |
| Description | Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1072120 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| zabbix (PTS) | bullseye | 1:5.0.8+dfsg-1 | fixed |
| bullseye (security) | 1:5.0.47+dfsg-0+deb11u1 | fixed |
| bookworm | 1:6.0.14+dfsg-1 | vulnerable |
| trixie | 1:7.0.10+dfsg-2 | fixed |
| forky, sid | 1:7.0.22+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| zabbix | source | buster | (not affected) | | | |
| zabbix | source | bullseye | (not affected) | | | |
| zabbix | source | (unstable) | 1:6.0.29+dfsg-1 | | | 1072120 |
Notes
[bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
[bullseye] - zabbix <not-affected> (Vulnerable code introduced later)
[buster] - zabbix <not-affected> (Vulnerable code introduced later)
https://support.zabbix.com/browse/ZBX-24505
Fixed by: https://github.com/zabbix/zabbix/commit/9013ff74985e40aee6b58e2ed67675b87cab0879 (7.0.0beta2)
Fixed by: https://github.com/zabbix/zabbix/commit/c8ac414ff44127c3e8781eb029f519c060f623fa (6.0.28rc1)
introduced by https://github.com/zabbix/zabbix/commit/6c276d866d3f96689609d70c5893cfff8cac7cd6 (first seen in 6.0.0alpha1)