Zabbix, a widely used IT infrastructure management and monitoring tool, recently patched a critical 9.9 out of 10 defect. The SQL injection vulnerability allows unprivileged users to gain complete control of vulnerable servers, and thousands of vulnerable systems are easily discoverable online.
According to the vulnerability description, a non-admin user account on the Zabbix frontend with any other role that gives API access can exploit this vulnerability.
“An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access,” Zabbix said in an advisory.
A scan by the cloud security firm Qualys found more than 83,000 potential targets affected by the vulnerability.
Zabbix is an open-source monitoring tool that collects, stores, manages, and analyzes information from IT infrastructure.
Companies use Zabbix to monitor IT components, including networks, servers, virtual machines (VMs), and cloud services, visualize data and access it through a web-based frontend.
“An attacker may inject SQL commands by manipulating API calls. Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access and control,” Qualys explains.
Zabbix released the fixed versions to patch the vulnerability: 6.0.32rc1, 6.4.17rc1 and 7.0.1rc1.
The flaw was discovered and reported by Márk Rákóczi through the HackerOne bug bounty platform.
Your email address will not be published. Required fields are markedmarked