Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-23230

Inefficient user permission check in class CControllerAuthenticationUpdate (CVE-2023-32723)

    XMLWordPrintable

Details

    Description

      Mitre ID CVE-2023-32723
      CVSS score 8.5
      https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
      Severity high
      Summary Inefficient permission check in class CControllerAuthenticationUpdate
      Description Request to LDAP is sent before user permissions are checked.
      Known attack vectors This vulnerability is causing unauthorized Server-Side Request Forgery (SSRF) in Zabbix Frontend. Attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data reads or imports from URLs.
      Patch provided  No
      Component/s Frontend
      Affected version/s and fix version/s 4.0.0 - 4.0.19rc1 / 4.0.20rc1
      4.4.0 - 4.4.7rc1 / 4.4.8rc1
      5.0.0alpha3 / 5.0.0alpha4
      Fix compatibility tests -
      Resolution Fixed
      Workarounds  
      Acknowledgements Zabbix wants to thank xiaojunjie

      Attachments

        Activity

          People

            sasha Alexander Vladishev
            mmelnikovs Maris Melnikovs
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: