High severity8.1NVD Advisory· Published Jan 23, 2017· Updated May 13, 2026
CVE-2016-4338
CVE-2016-4338
Description
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- packetstormsecurity.com/files/136898/Zabbix-Agent-3.0.1-mysql.size-Shell-Command-Injection.htmlnvdExploitThird Party AdvisoryVDB Entry
- seclists.org/fulldisclosure/2016/May/9nvdExploitThird Party AdvisoryVDB Entry
- support.zabbix.com/browse/ZBX-10741nvdExploitPatchVendor Advisory
- www.exploit-db.com/exploits/39769/nvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/89631nvdThird Party AdvisoryVDB Entry
- security.gentoo.org/glsa/201612-42nvdThird Party AdvisoryVDB Entry
- www.zabbix.com/documentation/2.0/manual/introduction/whatsnew2018nvdVendor Advisory
- www.zabbix.com/documentation/2.2/manual/introduction/whatsnew2213nvdVendor Advisory
- www.zabbix.com/documentation/3.0/manual/introduction/whatsnew303nvdVendor Advisory
- www.securityfocus.com/archive/1/538258/100/0/threadednvd
News mentions
0No linked articles in our index yet.