CVE-2022-23132
EUVD-2022-2822313.01.2022, 16:15
During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system levelEnginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| zabbix | zabbix | 4.0.0 ≤ 𝑥 ≤ 4.0.36 |
| zabbix | zabbix | 5.0.0 ≤ 𝑥 ≤ 5.0.18 |
| zabbix | zabbix | 5.4.0 ≤ 𝑥 ≤ 5.4.8 |
| zabbix | zabbix | 6.0.0:alpha1 |
| zabbix | zabbix | 6.0.0:alpha2 |
| zabbix | zabbix | 6.0.0:alpha3 |
| zabbix | zabbix | 6.0.0:alpha4 |
| zabbix | zabbix | 6.0.0:alpha5 |
| zabbix | zabbix | 6.0.0:alpha6 |
| zabbix | zabbix | 6.0.0:alpha7 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-284 - Improper Access ControlThe software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
References