Zabbix agent is found to be vulnerable to remote command execution from the Zabbix server in some cases.
It is found that if a flexible user parameter is configured in the agent, including a newline in the parameters will execute newline section as a separate command even if UnsafeUserParameters are disabled.
This type of attack is known to be only possible from Zabbix server or Zabbix proxy systems that are explicitly allowed in the agent configuration. Only flexible user parameters are vulnerable, static ones are not.
Created zabbix tracking bugs for this issue:
Affects: fedora-all [bug 1037942]
Affects: epel-all [bug 1037943]
Created zabbix20 tracking bugs for this issue:
Affects: epel-all [bug 1037944]