Remote Code Execution via Script Params in Monitoring Hosts (Ping script)
CVE-2024-22116 Published on August 12, 2024
Remote code execution within ping script
An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure.
Vulnerability Analysis
CVE-2024-22116 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2024-22116 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2024-22116
Want to know whenever a new CVE is published for Zabbix? stack.watch will email you.
Affected Versions
Zabbix:- Version 6.4.9, <= 6.4.15 is affected.
- Version 7.0.0alpha1, <= 7.0.0rc2 is affected.
- Version 6.4.9, <= 6.4.15 is affected.
- Version 7.0.0alpha1, <= 7.0.0rc2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.