Bugzilla – Bug 1224447
VUL-0: CVE-2024-22120: zabbix: time based SQL injection in Zabbix Server audit log
Last modified: 2024-05-18 16:32:10 UTC
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22120 https://www.cve.org/CVERecord?id=CVE-2024-22120 https://support.zabbix.com/browse/ZBX-24505
It seems like Zabbix at versions below 5.0 are not affected by this issue, as the vulnerable function had not yet been introduced into the code (see [0] and [1] for more information). As for package zabbix in openSUSE:Factory, it is at version 6.0.28, which already contains the fix for this issue (see the comments in [2] for more information). Therefore, package zabbix is not affected in any codestreams. [0] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/941917c7c [1] https://support.zabbix.com/browse/ZBXNEXT-5847 [2] https://support.zabbix.com/browse/ZBX-24505