CVE-2022-23134 vulnerability in Zabbix and Other Products
Published on January 13, 2022

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

Vendor Advisory NVD

Known Exploited Vulnerability

This Zabbix Frontend Improper Access Control Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend.

The following remediation steps are recommended / required by March 8, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2022-23134 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

What is an authentification Vulnerability?

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVE-2022-23134 has been classified to as an authentification vulnerability or weakness.

Products Associated with CVE-2022-23134

You can be notified by stack.watch whenever vulnerabilities like CVE-2022-23134 are published in these products:

Zabbix

Fedora Project Fedora

Debian Linux

What versions are vulnerable to CVE-2022-23134?

Zabbix Version 6.0.0 alpha2
Zabbix Version 6.0.0 alpha3
Zabbix Version 6.0.0 alpha4
Zabbix Version 6.0.0 alpha5
Zabbix Version 6.0.0 alpha6
Zabbix Version 6.0.0 alpha7
Zabbix Version 6.0.0 beta1
Zabbix Version 5.4.0 through 5.4.8
Zabbix Version 6.0.0 alpha1

Fedora Project Fedora Version 34
Fedora Project Fedora Version 35