Candidate: CVE-2020-11800
PublicDate: 2020-10-07 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11800
 https://support.zabbix.com/browse/DEV-1538
 https://support.zabbix.com/browse/ZBX-17600
 https://support.zabbix.com/browse/ZBXSEC-30 (not public)
 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/85453e04656fc7bd8a6790f5295d79410101745c
Description:
 Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote
 attackers to execute arbitrary code.
Ubuntu-Description:
 Fu Chuang discovered that Zabbix did not properly parse IPs. A remote attacker
 could possibly use this issue to execute arbitrary code.
Notes:
Mitigation:
Bugs:
Priority: high
Discovered-by: Fu Chuang
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_zabbix:
 upstream: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/85453e04656fc7bd8a6790f5295d79410101745c
upstream_zabbix: released (1:4.0.0+dfsg-1)
precise/esm_zabbix: DNE
trusty_zabbix: ignored (out of standard support)
trusty/esm_zabbix: needed
xenial_zabbix: ignored (end of standard support, was needed)
bionic_zabbix: needed
focal_zabbix: not-affected (1:4.0.17+dfsg-1)
groovy_zabbix: not-affected
hirsute_zabbix: not-affected
impish_zabbix: not-affected
jammy_zabbix: not-affected
devel_zabbix: not-affected