CVE-2024-22120
Zabbix SQL Injection Vulnerability
Description
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
INFO
Published Date :
May 17, 2024, 10:15 a.m.
Last Modified :
Nov. 21, 2024, 8:55 a.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
6.0
Exploitability Score :
2.3
Public PoC/Exploit Available at Github
CVE-2024-22120 has a 24 public PoC/Exploit
available at Github.
Go to the Public Exploits
tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-22120
.
URL | Resource |
---|---|
https://support.zabbix.com/browse/ZBX-24505 | |
https://support.zabbix.com/browse/ZBX-24505 |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
🧛🏻 Nuclei is a fast Customizable SSL scanner powered by Offensive Community, built on .NET's DLR based DSL. Zero shot vulnerability discovery.
cybersecurity nuclei-templates offensive-security penetration-testing cve-scanning engine kali-linux scanner vulnerability-scanners
Dockerfile Makefile Go Shell Smarty Python TypeScript JavaScript C# C++
None
None
HTML
Reproducing the following CVEs with dockerfile:CVE-2024-33644 CVE-2024-34370 CVE-2024-22120
This exploit was created to exploit an XXE (XML External Entity). Through it, I read the backend code of the web service and found an endpoint where I could use gopher to make internal requests on Zabbix vulnerable to RCE.
Python
This is my exploit for CVE-2024-22120, which involves an SSRF vulnerability inside an XXE with a Gopher payload.
Python
This is my exploit for CVE-2024-22120, which involves an SSRF vulnerability inside an XXE with a Gopher payload.
Python
None
HTML
None
Time Based SQL Injection in Zabbix Server Audit Log --> RCE
redteam zabbix cve-2024-22120
Python
None
HTML Python
Fetch github trending every day and push to telegram channel
Python
None
Python
None
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-22120
vulnerability anywhere in the article.
- Cybersecurity News
CVE-2024-42327 (CVSS 9.9): Critical SQL Injection Vulnerability Found in Zabbix
Zabbix, a popular open-source IT infrastructure monitoring tool used by organizations worldwide, has been found to contain a critical SQL injection vulnerability (CVE-2024-42327) with a CVSS score of ... Read more
- Cybersecurity News
CVE-2024-22116 (CVSS 9.9): Critical RCE Vulnerability Found in Zabbix Monitoring Solution
Zabbix, a widely-adopted open-source solution for enterprise-level IT infrastructure monitoring, has disclosed a critical security vulnerability that could lead to full system compromise. The vulnerab ... Read more
- New Jetpack Site
Vulnerabilità critica in Zabbix
05/23/2024 PROTO: N240523 CERT-Yoroi informa che è stata resa nota una vulnerabilità critica su Zabbix che consente ad utenti malintenzionati di eseguire del codice da remoto arbitrario e privilege es ... Read more
The following table lists the changes that have been made to the
CVE-2024-22120
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://support.zabbix.com/browse/ZBX-24505 -
CVE Received by [email protected]
May. 17, 2024
Action Type Old Value New Value Added Description Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. Added Reference Zabbix https://support.zabbix.com/browse/ZBX-24505 [No types assigned] Added CWE Zabbix CWE-20 Added CVSS V3.1 Zabbix AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-22120
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-22120
weaknesses.