⚠ Actively exploited

Added to CISA KEV on 2022-02-22. Federal agencies required to patch by 2022-03-08. Required action: Apply updates per vendor instructions..

CVE-2022-23134 — Improper Access Control in Zabbix

CWE-284 — Improper Access Control CWE-287 — Improper Authentication CWE-863 — Incorrect Authorization8 documents8 sources

Severity

5.3MEDIUMNVD

CNA3.7VulnCheck3.7

EPSS

93.1%

top 0.21%

CISA KEV

KEV

Added 2022-02-22

Due 2022-03-08

Exploit

Exploited in wild

Active exploitation observed

Affected products

Zabbix Zabbix Frontend Debian Linux +1 more

Timeline

PublishedJan 13

KEV addedFeb 22

KEV dueMar 8

CISA Required Action: Apply updates per vendor instructions.

Description

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5zabbix/frontend5.4.0 - 5.4.8

▶Debianzabbix/zabbix< 1:6.0.7+dfsg-2+2

▶NVDzabbix/zabbix5.4.0 — 5.4.8+1

Also affects: Debian Linux 9.0, Fedora 34, 35

Patches

Patch: support.zabbix.com ↗Patch: support.zabbix.com ↗

🔴Vulnerability Details

GHSA

GHSA-mv97-qj5h-25f3: After the initial setup process, some steps of setup↗2022-02-09

▶

CVEList

Possible view of the setup pages by unauthenticated users if config file already exists↗2022-01-13

▶

OSV

CVE-2022-23134: After the initial setup process, some steps of setup↗2022-01-13

▶

VulnCheck

Zabbix Frontend Improper Access Control Vulnerability↗2022

▶

💥Exploits & PoCs

Nuclei

Zabbix Setup Configuration Authentication Bypass

▶

📋Vendor Advisories

CISA

Zabbix Frontend Improper Access Control Vulnerability↗2022-02-22

▶

Debian

CVE-2022-23134: zabbix - After the initial setup process, some steps of setup.php file are reachable not ...↗2022

▶