Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20384

Possible view of the setup pages by unauthenticated users if config file already exists (CVE-2022-23134)

    XMLWordPrintable

Details

    • Team A
    • Sprint 83 (Dec 2021)
    • 1

    Description

      CVE number CVE-2022-23134
      CVSS score 3.7
      Severity Low
      Description After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well.
      Known attack vectors Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
      Resolution To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or if immediate update is not possible, follow the presented below workarounds.
      Acknowledgements Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us
      Affected versions 5.4.0 - 5.4.8
      6.0.0 - 6.0.0beta1
      Workarounds If an immediate update is not possible, please remove the setup.php file

      Attachments

        Issue Links

          causes

          Problem report - Problem report ZBX-20387 Broken language in setup routine for logged-in super-admin

          • Trivial - Cosmetic problem like misspelt words or misaligned text.
          • Closed

          Activity

            People

              averza Andrejs Verza
              sasha Alexander Vladishev
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: