⚠ Actively exploited
Added to CISA KEV on 2022-02-22. Federal agencies required to patch by 2022-03-08. Required action: Apply updates per vendor instructions..
CVE-2022-23131 — Authentication Bypass by Spoofing in Zabbix
Severity
9.8CRITICALNVD
CNA9.1VulnCheck9.1
EPSS
94.0%
top 0.10%
CISA KEV
KEV
Added 2022-02-22
Due 2022-03-08
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedJan 13
KEV addedFeb 22
Latest updateMar 2
KEV dueMar 8
CISA Required Action: Apply updates per vendor instructions.
Description
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-4g73-3mxf-j47w: In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user↗2022-01-14
CVEList▶
Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML↗2022-01-13
💥Exploits & PoCs
1Nuclei▶
Zabbix - SAML SSO Authentication Bypass