First published: Tue Jun 17 2014(Updated: )
It was reported [1],[2] that the Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local file, and send the contents of the specified file to a remote server. This is fixed upstream via: * svn://svn.zabbix.com/branches/dev/ZBX-8151-18 r46594 for 1.8 * svn://svn.zabbix.com/branches/dev/ZBX-8151-20 r46600 for 2.0+ [1] <a href="https://support.zabbix.com/browse/ZBX-8151">https://support.zabbix.com/browse/ZBX-8151</a> [2] <a href="http://www.pnigos.com/?p=273">http://www.pnigos.com/?p=273</a>
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zabbix Zabbix | =1.8 | |
Zabbix Zabbix | =1.8.1 | |
Zabbix Zabbix | =1.8.2 | |
Zabbix Zabbix | =1.8.3 | |
Zabbix Zabbix | =1.8.4 | |
Zabbix Zabbix | =1.8.5 | |
Zabbix Zabbix | =1.8.6 | |
Zabbix Zabbix | =1.8.7 | |
Zabbix Zabbix | =1.8.8 | |
Zabbix Zabbix | =1.8.9 | |
Zabbix Zabbix | =1.8.10 | |
Zabbix Zabbix | =1.8.11 | |
Zabbix Zabbix | =1.8.12 | |
Zabbix Zabbix | =1.8.13 | |
Zabbix Zabbix | =1.8.14 | |
Zabbix Zabbix | =1.8.15 | |
Zabbix Zabbix | =1.8.16 | |
Zabbix Zabbix | =1.8.17 | |
Zabbix Zabbix | =1.8.18 | |
Zabbix Zabbix | =1.8.19 | |
Zabbix Zabbix | =1.8.20 | |
Zabbix Zabbix | =2.0.0 | |
Zabbix Zabbix | =2.0.1 | |
Zabbix Zabbix | =2.0.2 | |
Zabbix Zabbix | =2.0.3 | |
Zabbix Zabbix | =2.0.4 | |
Zabbix Zabbix | =2.0.5 | |
Zabbix Zabbix | =2.0.6 | |
Zabbix Zabbix | =2.0.7 | |
Zabbix Zabbix | =2.0.8 | |
Zabbix Zabbix | =2.0.9 | |
Zabbix Zabbix | =2.0.10 | |
Zabbix Zabbix | =2.0.11 | |
Zabbix Zabbix | =2.0.12 | |
Zabbix Zabbix | =2.2.0 | |
Zabbix Zabbix | =2.2.1 | |
Zabbix Zabbix | =2.2.2 | |
Zabbix Zabbix | =2.2.3 | |
Zabbix Zabbix | =2.2.4 | |
Zabbix Zabbix | =2.3.0 | |
Zabbix Zabbix | =2.3.1 | |
Fedoraproject Fedora | =19 | |
Fedoraproject Fedora | =20 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.