Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20384

Possible view of the setup pages by unauthenticated users if config file already exists (CVE-2022-23134)

XMLWordPrintable

    • Sprint 83 (Dec 2021)
    • 1

      CVE number CVE-2022-23134
      CVSS score 3.7
      Severity Low
      Description After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well.
      Known attack vectors Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
      Resolution To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or if immediate update is not possible, follow the presented below workarounds.
      Acknowledgements Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us
      Affected versions 5.4.0 - 5.4.8
      6.0.0 - 6.0.0beta1
      Workarounds If an immediate update is not possible, please remove the setup.php file

            averza Andrejs Verza
            sasha Alexander Vladishev
            Team A
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: