What is the severity of CVE-2014-3005?

CVE-2014-3005 has a high severity rating due to potential remote code execution risks from parsing crafted XML files.

How do I fix CVE-2014-3005?

To remediate CVE-2014-3005, upgrade Zabbix Server to a version beyond 2.0.3 that has addressed this vulnerability.

What versions of Zabbix are affected by CVE-2014-3005?

CVE-2014-3005 affects Zabbix versions 1.8 through 2.0.3 including multiple updates in between.

Can CVE-2014-3005 lead to data exfiltration?

Yes, CVE-2014-3005 could allow attackers to access sensitive data on the server by leveraging the XML parsing feature.

Is there a workaround for CVE-2014-3005 until I can update?

A temporary workaround for CVE-2014-3005 involves disabling the XML import feature to mitigate the risk.

Vulnerability/
CVE-2014-3005

critical

9.8

CWE

611

17/6/2014

1/2/2018

6/8/2024

CVE-2014-3005: XEE

First published: Tue Jun 17 2014(Updated: )

It was reported [1],[2] that the Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local file, and send the contents of the specified file to a remote server. This is fixed upstream via: * svn://svn.zabbix.com/branches/dev/ZBX-8151-18 r46594 for 1.8 * svn://svn.zabbix.com/branches/dev/ZBX-8151-20 r46600 for 2.0+ [1] <a href="https://support.zabbix.com/browse/ZBX-8151">https://support.zabbix.com/browse/ZBX-8151</a> [2] <a href="http://www.pnigos.com/?p=273">http://www.pnigos.com/?p=273</a>

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Zabbix Server	=1.8
Zabbix Server	=1.8.1
Zabbix Server	=1.8.2
Zabbix Server	=1.8.3
Zabbix Server	=1.8.4
Zabbix Server	=1.8.5
Zabbix Server	=1.8.6
Zabbix Server	=1.8.7
Zabbix Server	=1.8.8
Zabbix Server	=1.8.9
Zabbix Server	=1.8.10
Zabbix Server	=1.8.11
Zabbix Server	=1.8.12
Zabbix Server	=1.8.13
Zabbix Server	=1.8.14
Zabbix Server	=1.8.15
Zabbix Server	=1.8.16
Zabbix Server	=1.8.17
Zabbix Server	=1.8.18
Zabbix Server	=1.8.19
Zabbix Server	=1.8.20
Zabbix Server	=2.0.0
Zabbix Server	=2.0.1
Zabbix Server	=2.0.2
Zabbix Server	=2.0.3
Zabbix Server	=2.0.4
Zabbix Server	=2.0.5
Zabbix Server	=2.0.6
Zabbix Server	=2.0.7
Zabbix Server	=2.0.8
Zabbix Server	=2.0.9
Zabbix Server	=2.0.10
Zabbix Server	=2.0.11
Zabbix Server	=2.0.12
Zabbix Server	=2.2.0
Zabbix Server	=2.2.1
Zabbix Server	=2.2.2
Zabbix Server	=2.2.3
Zabbix Server	=2.2.4
Zabbix Server	=2.3.0
Zabbix Server	=2.3.1
Fedora	=19
Fedora	=20

Remedy

https://support.zabbix.com/browse/ZBX-8151

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2014-3005?
CVE-2014-3005 has a high severity rating due to potential remote code execution risks from parsing crafted XML files.
How do I fix CVE-2014-3005?
To remediate CVE-2014-3005, upgrade Zabbix Server to a version beyond 2.0.3 that has addressed this vulnerability.
What versions of Zabbix are affected by CVE-2014-3005?
CVE-2014-3005 affects Zabbix versions 1.8 through 2.0.3 including multiple updates in between.
Can CVE-2014-3005 lead to data exfiltration?
Yes, CVE-2014-3005 could allow attackers to access sensitive data on the server by leveraging the XML parsing feature.
Is there a workaround for CVE-2014-3005 until I can update?
A temporary workaround for CVE-2014-3005 involves disabling the XML import feature to mitigate the risk.

agent/type
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2014-3005
agent/references
agent/severity
agent/last-modified-date
agent/weakness
agent/remedy
agent/author
agent/event
agent/description
agent/trending
agent/source
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
vendor/zabbix
canonical/zabbix server
version/zabbix server/1.8
version/zabbix server/1.8.1
version/zabbix server/1.8.2
version/zabbix server/1.8.3
version/zabbix server/1.8.4
version/zabbix server/1.8.5
version/zabbix server/1.8.6
version/zabbix server/1.8.7
version/zabbix server/1.8.8
version/zabbix server/1.8.9
version/zabbix server/1.8.10
version/zabbix server/1.8.11
version/zabbix server/1.8.12
version/zabbix server/1.8.13
version/zabbix server/1.8.14
version/zabbix server/1.8.15
version/zabbix server/1.8.16
version/zabbix server/1.8.17
version/zabbix server/1.8.18
version/zabbix server/1.8.19
version/zabbix server/1.8.20
version/zabbix server/2.0.0
version/zabbix server/2.0.1
version/zabbix server/2.0.2
version/zabbix server/2.0.3
version/zabbix server/2.0.4
version/zabbix server/2.0.5
version/zabbix server/2.0.6
version/zabbix server/2.0.7
version/zabbix server/2.0.8
version/zabbix server/2.0.9
version/zabbix server/2.0.10
version/zabbix server/2.0.11
version/zabbix server/2.0.12
version/zabbix server/2.2.0
version/zabbix server/2.2.1
version/zabbix server/2.2.2
version/zabbix server/2.2.3
version/zabbix server/2.2.4
version/zabbix server/2.3.0
version/zabbix server/2.3.1
vendor/fedoraproject
canonical/fedora
version/fedora/19
version/fedora/20