PT-2017-8481 · Zabbix+3 · Zabbix+3

Timo Lindfors

Published

2014-07-18

Updated

2022-06-15

CVE-2016-4338

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zabbix versions prior to 2.0.18 Zabbix versions 2.2.x prior to 2.2.13 Zabbix versions 3.0.x prior to 3.0.3

Description The issue allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter in the mysql user parameter configuration script when used with a shell other than bash.

Recommendations For Zabbix versions prior to 2.0.18, update to version 2.0.18 or later. For Zabbix versions 2.2.x prior to 2.2.13, update to version 2.2.13 or later. For Zabbix versions 3.0.x prior to 3.0.3, update to version 3.0.3 or later.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2014-1941

ALT-PU-2014-2165

ALT-PU-2016-1118

ALT-PU-2016-1167

ALT-PU-2016-1518

ALT-PU-2016-1782

ALT-PU-2016-1977

ALT-PU-2016-2058

ALT-PU-2017-2601

ALT-PU-2019-1862

ALT-PU-2020-1083

ALT-PU-2020-2718

ALT-PU-2020-3398

ALT-PU-2020-3446

ALT-PU-2021-2018

ALT-PU-2021-2156

CVE-2016-4338

USN-4767-1

Affected Products

Alt Linux

Linuxmint

Ubuntu

Zabbix

PT-2017-8481 · Zabbix+3 · Zabbix+3

CVE-2016-4338

Weakness Enumeration

Related Identifiers

Affected Products

References · 41