Processed: Re: Bug#842702: Remote Code Execution on Zabbix 2.2 < 3.0.3
Processing control commands: > retitle -1 zabbix: CVE-2016-9140: API JSON-RPC remote code execution Bug #842702 [zabbix-frontend-php] Remote Code Execution on Zabbix 2.2 < 3.0.3 Changed Bug title to 'zabbix: CVE-2016-9140: API JSON-RPC remote code execution' from 'Remote Code Execution on Zabbix 2.2 < 3.0.3'. > found -1 1:2.2.7+dfsg-2 Bug #842702 [zabbix-frontend-php] zabbix: CVE-2016-9140: API JSON-RPC remote code execution Marked as found in versions zabbix/1:2.2.7+dfsg-2. > tags -1 + upstream security Bug #842702 [zabbix-frontend-php] zabbix: CVE-2016-9140: API JSON-RPC remote code execution Added tag(s) upstream. -- 842702: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842702 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#842702: Remote Code Execution on Zabbix 2.2 < 3.0.3
Control: retitle -1 zabbix: CVE-2016-9140: API JSON-RPC remote code execution Control: found -1 1:2.2.7+dfsg-2 Control: tags -1 + upstream security Hi I'm not sure the subject is correct in stating that versions only below 3.0.3 are affected. Looking from the changes in api_jsonrpc.php it does not look yet fixed. Can you confirm? Is upstream actually aware of the issue? Is a fix available? Regards, Salvatore
Bug#842702: Remote Code Execution on Zabbix 2.2 < 3.0.3
Package: zabbix-frontend-php Version: 1:2.2.7+dfsg-2+deb8u1 Severity: grave Zabbix on Jessie is vulnerable to remote code execution through exploit available in [1] (valid zabbix user/password is needed). I do not find any CVE related to this bug. [1] https://www.exploit-db.com/exploits/39937/ -- Rogerio Bastos PoP-BA/RNP