Date: Sun, 4 Dec 2016 16:18:27 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: mprpic@...hat.com, cve-assign@...re.org, James Cowgill <jcowgill@...ian.org> Subject: Re: Re: RCE in Zabbix 2.2 to 3.0.3 Hi On Tue, Nov 01, 2016 at 02:17:05PM -0400, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > https://www.exploit-db.com/exploits/39937/ > > Zabbix 2.2 < 3.0.3 - API JSON-RPC Remote Code Execution > > > /api_jsonrpc.php > > > "method": "script.update", > > > "command": ""+cmd+"" > > Use CVE-2016-9140. This has later on been reported upstream, as https://support.zabbix.com/browse/ZBX-11483 . Upstream believes that this is not a vulnerability, but a superadmin able to use a feature as intended. Cf. https://support.zabbix.com/browse/ZBX-11483?focusedCommentId=202709&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-202709 and https://support.zabbix.com/browse/ZBX-11483?focusedCommentId=202789&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-202789 As such this might be actually be REJECTed. Martin and CVE assigning team from MITRE, does this look correct? Should the CVE be rejected instead? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ