Bug 1224447 (CVE-2024-22120)

Summary: VUL-0: CVE-2024-22120: zabbix: time based SQL injection in Zabbix Server audit log
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: δΊšθƒ θŒƒ <ydfan>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P5 - None CC: boris, camila.matos
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/406306/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-22120:9.1:(AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-17 19:25:22 UTC 
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22120
https://www.cve.org/CVERecord?id=CVE-2024-22120
https://support.zabbix.com/browse/ZBX-24505
Comment 1 Camila Camargo de Matos 2024-05-17 19:30:59 UTC 
It seems like Zabbix at versions below 5.0 are not affected by this issue, as the vulnerable function had not yet been introduced into the code (see [0] and [1] for more information).

As for package zabbix in openSUSE:Factory, it is at version 6.0.28, which already contains the fix for this issue (see the comments in [2] for more information).

Therefore, package zabbix is not affected in any codestreams.

[0] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/941917c7c
[1] https://support.zabbix.com/browse/ZBXNEXT-5847
[2] https://support.zabbix.com/browse/ZBX-24505