5.3

CVE-2022-23134

Warning

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

Data is provided by the National Vulnerability Database (NVD)
ZabbixZabbix Version >= 5.4.0 <= 5.4.8
ZabbixZabbix Version6.0.0 Updatealpha1
ZabbixZabbix Version6.0.0 Updatealpha2
ZabbixZabbix Version6.0.0 Updatealpha3
ZabbixZabbix Version6.0.0 Updatealpha4
ZabbixZabbix Version6.0.0 Updatealpha5
ZabbixZabbix Version6.0.0 Updatealpha6
ZabbixZabbix Version6.0.0 Updatealpha7
ZabbixZabbix Version6.0.0 Updatebeta1
FedoraprojectFedora Version34
FedoraprojectFedora Version35
DebianDebian Linux Version9.0

22.02.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Zabbix Frontend Improper Access Control Vulnerability

Vulnerability

Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 93.08% 0.998
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
security@zabbix.com 3.7 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://support.zabbix.com/browse/ZBX-20384
Patch
Vendor Advisory
Issue Tracking