CVE-2016-4338
CVE-2016-4338
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter.
Affected products
n/a · n/apublic PoCs found — 3
cve_referencepacketstormsecurity.com/files/136898/Zabbix-Agent-3.0.1-mysql.size-Shell-Command-Injection.htmlunverifiedcve_referencewww.exploit-db.com/exploits/39769/unverifiedexploitdbwww.exploit-db.com/exploits/39769unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/136898/Zabbix-Agent-3.0.1-mysql.size-Shell-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2016/May/9https://security.gentoo.org/glsa/201612-42https://support.zabbix.com/browse/ZBX-10741https://www.exploit-db.com/exploits/39769/https://www.zabbix.com/documentation/2.0/manual/introduction/whatsnew2018#miscellaneous_improvementshttps://www.zabbix.com/documentation/2.2/manual/introduction/whatsnew2213#miscellaneous_improvementshttps://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew303#miscellaneous_improvementshttp://www.securityfocus.com/archive/1/538258/100/0/threadedhttp://www.securityfocus.com/bid/89631