CVE-2022-46768 — Improper Input Validation in Zabbix-agent2

CWE-20 — Improper Input Validation4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

5.2%

top 10.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Zabbix Zabbix-agent2 Debian Zabbix +1 more

Timeline

PublishedDec 15

Description

Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶NVDzabbix/web_service_report_generation6.0.0 — 6.0.11+1

▶CVEListV5zabbix/web_service_report_generation6.0.0-6.0.11, 6.2.0-6.2.5+1

▶debiandebian/zabbix< zabbix 1:6.0.13+dfsg-1 (bookworm)

▶NVDzabbix/zabbix-agent26.2.0 — 6.2.6+1

▶Debianzabbix/zabbix< 1:6.0.13+dfsg-1+2

Patches

Patch: support.zabbix.com ↗Patch: support.zabbix.com ↗

🔴Vulnerability Details

GHSA

GHSA-r7ff-gv9g-75w3: Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053↗2022-12-15

▶

OSV

CVE-2022-46768: Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053↗2022-12-15

▶

📋Vendor Advisories

Debian

CVE-2022-46768: zabbix - Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation...↗2022

▶