Modem File Injection - Log File Compromise
CVE-2024-22123

2.7LOW

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-22123?

Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. As a result, log file will be broken with AT commands and small part for log file content will be leaked to UI.

Affected Version(s)

Zabbix 5.0.0 <= 5.0.42

Zabbix 6.0.0 <= 6.0.30

Zabbix 6.4.0 <= 6.4.15

References

https://support.zabbix.com/browse/ZBX-25013

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2024
Vulnerability Reserved
Jan 5, 2024

Credit

Zabbix wants to thank -- who submitted this report in HackerOne bug bounty platform