Bug 2047748 (CVE-2021-46088)

Summary: CVE-2021-46088 zabbix: admin users can perform remote code execution in the application user context
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bennie.joubert, dan, gwync, orion, volker27
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2047749    
Bug Blocks:    

Description Sandipan Roy 2022-01-28 13:13:26 UTC 
Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context of the application user.

https://github.com/paalbra/zabbix-zbxsec-7
Comment 1 Sandipan Roy 2022-01-28 13:13:47 UTC 
Created zabbix tracking bugs for this issue:

Affects: fedora-all [bug 2047749]