oss-sec mailing list archives
Re: Re: RCE in Zabbix 2.2 to 3.0.3
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 4 Dec 2016 16:18:27 +0100
Hi On Tue, Nov 01, 2016 at 02:17:05PM -0400, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256https://www.exploit-db.com/exploits/39937/ Zabbix 2.2 < 3.0.3 - API JSON-RPC Remote Code Execution/api_jsonrpc.php"method": "script.update","command": ""+cmd+""Use CVE-2016-9140.
This has later on been reported upstream, as https://support.zabbix.com/browse/ZBX-11483 . Upstream believes that this is not a vulnerability, but a superadmin able to use a feature as intended. Cf. https://support.zabbix.com/browse/ZBX-11483?focusedCommentId=202709&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-202709 and https://support.zabbix.com/browse/ZBX-11483?focusedCommentId=202789&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-202789 As such this might be actually be REJECTed. Martin and CVE assigning team from MITRE, does this look correct? Should the CVE be rejected instead? Regards, Salvatore
Current thread:
- RCE in Zabbix 2.2 to 3.0.3 Martin Prpic (Nov 01)
- Re: RCE in Zabbix 2.2 to 3.0.3 cve-assign (Nov 01)
- Re: Re: RCE in Zabbix 2.2 to 3.0.3 Salvatore Bonaccorso (Dec 04)
- Re: RCE in Zabbix 2.2 to 3.0.3 cve-assign (Nov 01)