Candidate: CVE-2014-3005 PublicDate: 2018-02-01 17:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3005 http://seclists.org/fulldisclosure/2014/Jun/87 Description: XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Ubuntu-Description: It was discovered that Zabbix incorrectly handled certain XML files. A remote attacker could possibly use this issue to read arbitrary files or potentially execute arbitrary code. Notes: Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751910 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL] Patches_zabbix: upstream: https://support.zabbix.com/secure/attachment/28912/ZBX_8151_2_2_2.patch upstream_zabbix: released (1:2.2.5+dfsg-1) lucid_zabbix: ignored (reached end-of-life) precise_zabbix: ignored (reached end-of-life) precise/esm_zabbix: DNE (precise was needed) saucy_zabbix: ignored (reached end-of-life) trusty_zabbix: ignored (out of standard support) trusty/esm_zabbix: needed utopic_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) vivid_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) vivid/stable-phone-overlay_zabbix: DNE vivid/ubuntu-core_zabbix: DNE wily_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) xenial_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) yakkety_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) zesty_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) artful_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) bionic_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) cosmic_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) disco_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) eoan_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) focal_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) groovy_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) hirsute_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) impish_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) jammy_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1) devel_zabbix: not-affected (1:2.2.5+dfsg-1ubuntu1)