CVE-2021-46088

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zabbix versions 4.0 LTS through 5.0 LTS

Description The issue allows for Remote Code Execution (RCE) due to authorization errors. Any user with the Zabbix Admin role can run custom shell scripts on the application server in the context of the application user. This could potentially allow an attacker to execute arbitrary code with root privileges.

Recommendations For Zabbix versions 4.0 LTS, 4.2, 4.4, and 5.0 LTS, consider restricting the Zabbix Admin role to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling custom shell script execution on the application server until a fix is released. Restrict access to the application server to minimize the risk of exploitation.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

ALT-PU-2021-2582

ALT-PU-2021-2668

ALT-PU-2023-6268

BDU:2022-00879

CVE-2021-46088

ROSA-SA-2024-2539

Affected Products

Alt Linux

Zabbix

CVE-2021-46088

Weakness Enumeration

Related Identifiers

Affected Products

References · 11