Vulnerability CVE-2020-11800

Vulnerability Name:

CVE-2020-11800 (CCN-189566)

Assigned:

2020-04-15

Published:

2020-04-15

Updated:

2022-01-01

Summary:

Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-11800

Source: MISC
Type: Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html

Source: XF
Type: UNKNOWN
zabbixserver-cve202011800-code-exec(189566)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20201121 [SECURITY] [DLA 2461-1] zabbix security update

Source: CONFIRM
Type: Vendor Advisory
https://support.zabbix.com/browse/DEV-1538

Source: CCN
Type: ZBX-17600
Zabbix remote code execution vulnerability (CVE-2020-11800)

Source: CONFIRM
Type: Vendor Advisory
https://support.zabbix.com/browse/ZBX-17600

Source: CONFIRM
Type: Permissions Required, Vendor Advisory
https://support.zabbix.com/browse/ZBXSEC-30

Vulnerable Configuration:

Configuration 1:

cpe:/a:zabbix:zabbix:*:*:*:*:*:*:*:* (Version >= 2.2.0 and < 3.0.31)

OR cpe:/a:zabbix:zabbix:3.2.0:-:*:*:*:*:*:*

Configuration 2:

cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

OR cpe:/a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:zabbix:zabbix:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:2.2.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:202011800	V	CVE-2020-11800	2022-09-02
oval:org.opensuse.security:def:64643	P	Security update for kernel-firmware (Low)	2021-12-30
oval:org.opensuse.security:def:64751	P	Security update for libvirt (Moderate)	2021-08-23
oval:org.opensuse.security:def:63499	P	libvorbis0-32bit-1.3.6-4.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63128	P	python-azure-agent-2.2.49.2-3.20.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63361	P	openssh-fips-8.4p1-1.30 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63096	P	libopenssl-1_0_0-devel-1.0.2p-3.37.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63100	P	postgresql10-10.16-8.29.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:64548	P	Security update for curl (Moderate)	2021-07-21
oval:org.opensuse.security:def:62880	P	xorg-x11-server-sdk-1.19.6-6.19 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:63103	P	kernel-default-livepatch-4.12.14-23.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64507	P	Security update for hivex (Moderate)	2021-05-26
oval:org.opensuse.security:def:64644	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:63599	P	pidgin-plugin-otr-4.0.2-1.61 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62680	P	libmad-devel-0.15.1b-3.16 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62679	P	liblouis-data-3.11.0-1.42 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63306	P	subversion-server-1.10.6-3.6.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62703	P	libthai0-32bit-0.1.27-1.16 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63159	P	libfpm_pb0-1.1.1-2.29 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:74965	P	Security update for nasm (Moderate)	2020-12-01
oval:org.opensuse.security:def:64394	P	libtiff-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64052	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:63949	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:74614	P	Security update for zabbix (Moderate)	2020-12-01
oval:org.opensuse.security:def:64853	P	Security update for polkit (Important)	2020-12-01
oval:org.opensuse.security:def:65023	P	Security update for libjpeg-turbo (Moderate)	2020-12-01
oval:org.opensuse.security:def:64292	P	libFS-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63725	P	Security update for elfutils (Low)	2020-12-01
oval:org.opensuse.security:def:75098	P	Security update for zabbix (Moderate)	2020-12-01
oval:org.opensuse.security:def:64436	P	perl-Mail-SpamAssassin on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64186	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:63802	P	Security update for mariadb-100 (Moderate)	2020-12-01
oval:org.opensuse.security:def:74488	P	Security update for opencv (Moderate)	2020-12-01
oval:org.opensuse.security:def:64178	P	Security update for raptor (Important)	2020-12-01
oval:org.opensuse.security:def:64911	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:100242	P	(Important)	2020-11-12
oval:org.opensuse.security:def:96372	P	Security update for zabbix (Moderate)	2020-10-04
oval:org.opensuse.security:def:110793	P	Security update for zabbix (Moderate)	2020-10-04
oval:org.opensuse.security:def:109719	P	Security update for zabbix (Moderate)	2020-10-04
oval:org.opensuse.security:def:103062	P	Security update for zabbix (Moderate)	2020-10-04
oval:org.opensuse.security:def:93529	P	Security update for zabbix (Moderate)	2020-10-04
oval:org.opensuse.security:def:110238	P	Security update for zabbix (Moderate)	2020-10-04

BACK