First published: Thu Jan 13 2022(Updated: )
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Credit: security@zabbix.com security@zabbix.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zabbix Zabbix | >=5.4.0<=5.4.8 | |
Zabbix Zabbix | =6.0.0-alpha1 | |
Zabbix Zabbix | =6.0.0-alpha2 | |
Zabbix Zabbix | =6.0.0-alpha3 | |
Zabbix Zabbix | =6.0.0-alpha4 | |
Zabbix Zabbix | =6.0.0-alpha5 | |
Zabbix Zabbix | =6.0.0-alpha6 | |
Zabbix Zabbix | =6.0.0-alpha7 | |
Zabbix Zabbix | =6.0.0-beta1 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Debian Debian Linux | =9.0 | |
Zabbix Frontend | ||
>=5.4.0<=5.4.8 | ||
=6.0.0-alpha1 | ||
=6.0.0-alpha2 | ||
=6.0.0-alpha3 | ||
=6.0.0-alpha4 | ||
=6.0.0-alpha5 | ||
=6.0.0-alpha6 | ||
=6.0.0-alpha7 | ||
=6.0.0-beta1 | ||
=34 | ||
=35 | ||
=9.0 |
To remediate this vulnerability, apply the updates or if an immediate update is not possible, follow the presented workarounds.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-23134.
The title of the vulnerability is Zabbix Frontend Improper Access Control Vulnerability.
The severity of CVE-2022-23134 is medium with a CVSS score of 5.3.
The Zabbix Frontend software version 5.4.0 to 5.4.8, as well as Zabbix 6.0.0-alpha1 to 6.0.0-alpha7 are affected.
An attacker can exploit CVE-2022-23134 by passing step checks in the setup.php file and potentially changing the configuration of Zabbix Frontend.
Yes, you can find references related to CVE-2022-23134 on the Debian LTS and Fedora Project mailing lists.