CVE-2022-23134

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Severity
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Atk. Vector
NETWORK
Atk. Complexity
HIGH
Priv. Required
NONE
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
zabbixzabbix
5.4.0 ≤
𝑥
≤ 5.4.8
zabbixzabbix
6.0.0
zabbixzabbix
6.0.0
zabbixzabbix
6.0.0
zabbixzabbix
6.0.0
zabbixzabbix
6.0.0
zabbixzabbix
6.0.0
zabbixzabbix
6.0.0
zabbixzabbix
6.0.0
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
zabbix
bullseye
1:5.0.8+dfsg-1
not-affected
buster
not-affected
bullseye (security)
1:5.0.44+dfsg-1+deb11u1
fixed
bookworm
1:6.0.14+dfsg-1
fixed
sid
1:7.0.5+dfsg-1
fixed
trixie
1:7.0.5+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
zabbix
noble
dne
mantic
not-affected
lunar
ignored
kinetic
ignored
jammy
not-affected
impish
ignored
hirsute
ignored
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
https://support.zabbix.com/browse/ZBX-20384
https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
https://support.zabbix.com/browse/ZBX-20384