Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-22087

Zabbix Web Service Report Generation External Control of File Name Information Disclosure Vulnerability (CVE-2022-46768)

    XMLWordPrintable

Details

    • Defect (Security)
    • Status: Closed
    • Trivial
    • Resolution: Fixed
    • None
    • 6.4.0beta5, 6.4 (plan)
    • Appliance (L)
    • None
    • Team A
    • 1

    Description

      ID: ZBV-2022-09-1

      CVE: CVE-2022-46768

      Synopsis: File name information disclosure vulnerability in Zabbix Web Service Report Generation

      Description: Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files.

      CVSS: 5.9: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

      Zabbix Severity: Medium

      Known Attack Vectors: An attacker can read arbitrary files on the file system without authentication with 2 pre-conditions:

      1. Zabbix web service has to allow the access from attacker's IP in the zabbix_web_service.conf file
      2. Victim server has to install Google Chrome

      Resolution: To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or use the workaround

      Workarounds: If an immediate update is not possible, limit network access to Zabbix Web Service Report Generation.

      Attachments

        Activity

          People

            dimir dimir
            amitrofanov Alexey Mitrofanov (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: