CVE-2024-22123

NameCVE-2024-22123
DescriptionSetting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. As a result, log file will be broken with AT commands and small part for log file content will be leaked to UI.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3909-1, ELA-1193-1
Debian Bugs1078553

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)jessie, jessie (lts)1:2.2.23+dfsg-0+deb8u9fixed
stretch (security)1:3.0.32+dfsg-0+deb9u3vulnerable
stretch (lts), stretch1:3.0.32+dfsg-0+deb9u8fixed
buster (security), buster, buster (lts)1:4.0.4+dfsg-1+deb10u5vulnerable
bullseye1:5.0.8+dfsg-1vulnerable
bullseye (security)1:5.0.45+dfsg-1+deb11u1fixed
bookworm1:6.0.14+dfsg-1vulnerable
sid, trixie1:7.0.6+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsourcejessie2.2.23+dfsg-0+deb8u8ELA-1193-1
zabbixsourcestretch1:3.0.32+dfsg-0+deb9u7ELA-1193-1
zabbixsourcebuster(unfixed)end-of-life
zabbixsourcebullseye1:5.0.44+dfsg-1+deb11u1DLA-3909-1
zabbixsource(unstable)1:7.0.0+dfsg-11078553

Notes

https://support.zabbix.com/browse/ZBX-25013
https://github.com/zabbix/zabbix/commit/499ac935f60b38992488ff895c06da8bd80d95cc (7.0.x)
https://github.com/zabbix/zabbix/commit/eb64b83355dae7286821c5237f7ab83038c22367 (6.0.x)
https://github.com/zabbix/zabbix/commit/dcd875c22d0f3e5106e855d9f7e9ef7c51fae9aa (5.0.x)

Search for package or bug name: Reporting problems