Vulnerability Details CVE-2022-23134
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.906
EPSS Ranking 99.6%
CVSS Severity
CVSS v3 Score 3.7
CVSS v2 Score 5.0
Proposed Action
Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend.
Ransomware Campaign
Unknown
References
- https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
- https://support.zabbix.com/browse/ZBX-20384
- https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
- https://support.zabbix.com/browse/ZBX-20384
Products affected by CVE-2022-23134
-
cpe:2.3:a:zabbix:zabbix:5.4.0
-
cpe:2.3:a:zabbix:zabbix:5.4.1
-
cpe:2.3:a:zabbix:zabbix:5.4.2
-
cpe:2.3:a:zabbix:zabbix:5.4.3
-
cpe:2.3:a:zabbix:zabbix:5.4.4
-
cpe:2.3:a:zabbix:zabbix:5.4.5
-
cpe:2.3:a:zabbix:zabbix:5.4.6
-
cpe:2.3:a:zabbix:zabbix:5.4.7
-
cpe:2.3:a:zabbix:zabbix:5.4.8
-
cpe:2.3:a:zabbix:zabbix:6.0.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:34
-
cpe:2.3:o:fedoraproject:fedora:35