CVE-2017-2824

HIGH severity · CVSS 8.1 · OS command injection

8.1CVSS HIGH

Summary

An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)74%

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Zabbix

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://talosintelligence.com/vulnerability_reports/TALOS-2017-0325Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2017-0325Advisory
http://www.debian.org/security/2017/dsa-3937
http://www.securityfocus.com/bid/98083Advisory
http://www.debian.org/security/2017/dsa-3937
http://www.securityfocus.com/bid/98083Advisory