oss-security - Re: RCE in Zabbix 2.2 to 3.0.3

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 1 Nov 2016 14:17:05 -0400
From: <cve-assign@...re.org>
To: <mprpic@...hat.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: RCE in Zabbix 2.2 to 3.0.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://www.exploit-db.com/exploits/39937/
> Zabbix 2.2 < 3.0.3 - API JSON-RPC Remote Code Execution

> /api_jsonrpc.php

> "method": "script.update",

> "command": ""+cmd+""

Use CVE-2016-9140.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYGNtZAAoJEHb/MwWLVhi2DQkQALB8gccuZBXkOAwXv3ekuCpi
cNjh+qEd3pJxkd0EgmeQknO084oLV1rRn6Ss2Uh5FtBOaQJ5K/oiCjcarZ4bT8ro
oZnBndJwXEVaI1UsH+6ustwZoZSr7dGjw82w82wwVnayGFRMbmWuJNFdPtXUxuKf
5BWzXo4ZqlZbp5XuGJegm7gbAL56LYTkiMmb5yo+nN/7wApHc0cK8WaXkMW+LXB7
qlUVefp/uvzG9Ma8Z9TvJnrgAoyCe2L8j2Y2CvZ28TUA4ugg7OaYpZkx/TWf883p
KSyCiFsomfMwrkKKSZ5c8pFAzOtUdvyVYvgHH9YklhaH6P3s0RZM+DRfmC63rVIG
kcKN3asrGcP7lawreVsSCZCmMOzwhsmMiRilFmeJ+Tk369T0+B8ZxzgTFQ3QGk6t
+gWS2P6LAAsHfz0YKf/ROoPdKxd6QmagYsfRGQWE/Qc2quH1zBFypjQ3JDWji7Mb
5REW4en6zQiaTfJMJpwtSyVPjTpNflIXaMysLWRarm6ca3rWZACIe1Wa1quN/Fj+
rr07YAG9J8MOraHxaR7/ynn+8rBws0QpGEFrorL9IXUfONpWRxvX1gL2T//6QA6N
67lISYiiR4+9vrpC4Ioa7tqUHJZeZU6bPeBBQLcF9S9slkpJPSpp4CUNY/5E3bcs
HOZHKY2M77oOr5Hv9UGw
=yO7W
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.