[ZBX-20384] Possible view of the setup pages by unauthenticated users if config file already exists (CVE-2022-23134) Created: 2021 Dec 20  Updated: 2024 Apr 10  Resolved: 2021 Dec 22

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 5.4.8, 6.0.0beta1
Fix Version/s: 5.4.9rc2, 6.0.0beta2, 6.0 (plan)

Type: Defect (Security) Priority: Blocker
Reporter: Alexander Vladishev Assignee: Andrejs Verza
Resolution: Fixed Votes: 0
Labels: security-vulnerabilities
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Causes
causes ZBX-20387 Broken language in setup routine for ... Closed
Duplicate
Team: Team A
Sprint: Sprint 83 (Dec 2021)
Story Points: 1

 Description   
CVE number CVE-2022-23134
CVSS score 3.7
Severity Low
Description After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well.
Known attack vectors Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Resolution To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or if immediate update is not possible, follow the presented below workarounds.
Acknowledgements Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us
Affected versions 5.4.0 - 5.4.8
6.0.0 - 6.0.0beta1
Workarounds If an immediate update is not possible, please remove the setup.php file


 Comments   
Comment by Andrejs Verza [ 2021 Dec 21 ]

Resolved in development branch feature/DEV-2044-5.5

Comment by Andrejs Verza [ 2021 Dec 22 ]

Implemented in:

Comment by biyurong [ 2022 Apr 01 ]

Why the commit to version 5.0 is deleted?

Comment by Andrejs Verza [ 2022 Apr 01 ]

Hi, onlybee!

4.0 and 5.0 branches were excluded because those were not affected by the issue (the session data was not stored in cookies and therefore was not exposed to users).

Generated at Sat Jun 27 08:19:55 EEST 2026 using Jira 10.3.18#10030018-sha1:5642e4ad348b6c2a83ebdba689d04763a2393cab.