| Name | CVE-2024-22120 |
| Description | Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1072120 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| zabbix (PTS) | bullseye | 1:5.0.8+dfsg-1 | fixed |
| bullseye (security) | 1:5.0.46+dfsg-1+deb11u1 | fixed |
| bookworm | 1:6.0.14+dfsg-1 | vulnerable |
| forky, sid, trixie | 1:7.0.10+dfsg-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| zabbix | source | buster | (not affected) | | | |
| zabbix | source | bullseye | (not affected) | | | |
| zabbix | source | (unstable) | 1:6.0.29+dfsg-1 | | | 1072120 |
Notes
[bullseye] - zabbix <not-affected> (Vulnerable code introduced later)
[buster] - zabbix <not-affected> (Vulnerable code introduced later)
https://support.zabbix.com/browse/ZBX-24505
Fixed by: https://github.com/zabbix/zabbix/commit/9013ff74985e40aee6b58e2ed67675b87cab0879 (7.0.0beta2)
Fixed by: https://github.com/zabbix/zabbix/commit/c8ac414ff44127c3e8781eb029f519c060f623fa (6.0.28rc1)
introduced by https://github.com/zabbix/zabbix/commit/6c276d866d3f96689609d70c5893cfff8cac7cd6 (first seen in 6.0.0alpha1)