CVE-2017-2824

An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.

Published: May 24, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-2824
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
zabbix / zabbix	2.4.2-rc1	2.4.2-rc1.x
zabbix / zabbix	2.4.0-rc3	2.4.0-rc3.x
zabbix / zabbix	2.4.9-rc1	2.4.9-rc1.x
zabbix / zabbix	2.4.0-rc1	2.4.0-rc1.x
zabbix / zabbix	2.4.4-rc1	2.4.4-rc1.x
zabbix / zabbix	2.4.6	2.4.6.x
zabbix / zabbix	2.4.0	2.4.0.x
zabbix / zabbix	2.4.3-rc1	2.4.3-rc1.x
zabbix / zabbix	2.4.5-rc1	2.4.5-rc1.x
zabbix / zabbix	2.4.2	2.4.2.x
zabbix / zabbix	2.4.6-rc1	2.4.6-rc1.x
zabbix / zabbix	2.4.1-rc2	2.4.1-rc2.x
zabbix / zabbix	2.4.8	2.4.8.x
zabbix / zabbix	2.4.5	2.4.5.x
zabbix / zabbix	2.4.3	2.4.3.x
zabbix / zabbix	2.4.9	2.4.9.x
zabbix / zabbix	2.4.7	2.4.7.x
zabbix / zabbix	2.4.8-rc1	2.4.8-rc1.x
zabbix / zabbix	2.4.7-rc1	2.4.7-rc1.x
zabbix / zabbix	2.4.0-rc2	2.4.0-rc2.x
zabbix / zabbix	2.4.1-rc1	2.4.1-rc1.x
zabbix / zabbix	2.4.4	2.4.4.x
zabbix / zabbix	2.4.1	2.4.1.x

Vulnerability Database

289,697

CVE-2017-2824