CVE-2022-23132

During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.3 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
ZabbixCNA
3.3 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
VendorProductVersion
zabbixzabbix
4.0.0 ≤
𝑥
≤ 4.0.36
zabbixzabbix
5.0.0 ≤
𝑥
≤ 5.0.18
zabbixzabbix
5.4.0 ≤
𝑥
≤ 5.4.8
zabbixzabbix
6.0.0:alpha1
zabbixzabbix
6.0.0:alpha2
zabbixzabbix
6.0.0:alpha3
zabbixzabbix
6.0.0:alpha4
zabbixzabbix
6.0.0:alpha5
zabbixzabbix
6.0.0:alpha6
zabbixzabbix
6.0.0:alpha7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
zabbix
bullseye
vulnerable
buster
not-affected
stretch
not-affected
bullseye (security)
1:5.0.44+dfsg-1+deb11u1
fixed
bookworm
1:6.0.14+dfsg-1
fixed
sid
1:7.0.5+dfsg-1
fixed
trixie
1:7.0.5+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
zabbix
noble
dne
mantic
not-affected
lunar
ignored
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
focal
needed
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
https://support.zabbix.com/browse/ZBX-20341
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
https://support.zabbix.com/browse/ZBX-20341