Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2022-23134
HistoryJan 13, 2022 - 4:15 p.m.

CVE-2022-23134

2022-01-1316:15:08
CWE-287
CWE-284
[email protected]
web.nvd.nist.gov
894
In Wild
2
cve
configuration
zabbix
frontend
security
vulnerability
authentication

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

6.7 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.63 Medium

EPSS

Percentile

97.9%

JSON

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

Affected configurations

NVD
Node
zabbixzabbixRange5.4.05.4.8
OR
zabbixzabbixMatch6.0.0alpha1
OR
zabbixzabbixMatch6.0.0alpha2
OR
zabbixzabbixMatch6.0.0alpha3
OR
zabbixzabbixMatch6.0.0alpha4
OR
zabbixzabbixMatch6.0.0alpha5
OR
zabbixzabbixMatch6.0.0alpha6
OR
zabbixzabbixMatch6.0.0alpha7
OR
zabbixzabbixMatch6.0.0beta1
Node
fedoraprojectfedoraMatch34
OR
fedoraprojectfedoraMatch35
Node
debiandebian_linuxMatch9.0

CNA Affected

[
  {
    "product": "Frontend",
    "vendor": "Zabbix",
    "versions": [
      {
        "status": "affected",
        "version": "5.4.0 - 5.4.8"
      },
      {
        "lessThan": "5.4.9*",
        "status": "unaffected",
        "version": "5.4.9",
        "versionType": "custom"
      }
    ]
  }
]

Social References

More

Related

openvas 4
cvelist 1
checkpoint_advisories 1
prion 1
debian 1
debiancve 1
osv 2
alpinelinux 1
attackerkb 1
nessus 3
cisa_kev 1
nvd 1
ubuntucve 1
nuclei 1
cisa 1
hivepro 1
thn 1
fedora 2
sonarsource 1
suse 2
openvas
openvas
Debian: Security Advisory (DLA-2914-1)
2022-02-08 00:00:00
Fedora: Security Advisory for zabbix (FEDORA-2022-1a667b0f90)
2022-01-23 00:00:00
openSUSE: Security Advisory for zabbix (openSUSE-SU-2022:0036-1)
2022-02-18 00:00:00
cvelist
cvelist
CVE-2022-23134 Possible view of the setup pages by unauthenticated users if config file already exists
2021-12-20 00:00:00
checkpoint_advisories
checkpoint_advisories
Zabbix Web Frontend Authentication Bypass (CVE-2022-23134)
2022-03-02 00:00:00
prion
prion
Design/Logic Flaw
2022-01-13 16:15:00
debian
debian
[SECURITY] [DLA 2914-1] zabbix security update
2022-02-07 21:49:09
debiancve
debiancve
CVE-2022-23134
2022-01-13 16:15:08
osv
osv
zabbix - security update
2022-02-07 00:00:00
CVE-2022-23134
2022-01-13 16:15:08
alpinelinux
alpinelinux
CVE-2022-23134
2022-01-13 16:15:00
attackerkb
attackerkb
CVE-2022-23134
2021-12-20 00:00:00
nessus
nessus
Debian DLA-2914-1 : zabbix - LTS security update
2022-02-07 00:00:00
openSUSE 15 Security Update : zabbix (openSUSE-SU-2022:0036-1)
2022-02-17 00:00:00
Zabbix 5.4.x < 5.4.9 Multiple Vulnerabilities
2022-02-28 00:00:00
cisa_kev
cisa_kev
Zabbix Frontend Improper Access Control Vulnerability
2022-02-22 00:00:00
nvd
nvd
CVE-2022-23134
2022-01-13 16:15:08
ubuntucve
ubuntucve
CVE-2022-23134
2022-01-13 00:00:00
nuclei
nuclei
Zabbix Setup Configuration Authentication Bypass
2022-02-25 16:00:40
cisa
cisa
CISA Adds Two Known Exploited Vulnerabilities to Catalog
2022-02-22 00:00:00
hivepro
hivepro
Zabbix affected by two actively exploited vulnerabilities
2022-02-24 10:27:48
thn
thn
CISA Alerts on Actively Exploited Flaws in Zabbix Network Monitoring Platform
2022-02-24 12:16:00
fedora
fedora
[SECURITY] Fedora 35 Update: zabbix-5.0.19-1.fc35
2022-01-23 01:44:38
[SECURITY] Fedora 34 Update: zabbix-5.0.19-1.fc34
2022-01-23 01:08:21
sonarsource
sonarsource
Zabbix - A Case Study of Unsafe Session Storage
2022-02-16 00:00:00
suse
suse
Security update for zabbix (moderate)
2022-02-16 00:00:00
Security update for MozillaThunderbird (important)
2022-03-01 00:00:00

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

6.7 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.63 Medium

EPSS

Percentile

97.9%

JSON
Related for CVE-2022-23134
openvas4cvelist1checkpoint_advisories1prion1debian1debiancve1osv2alpinelinux1attackerkb1nessus3cisa_kev1nvd1ubuntucve1nuclei1cisa1hivepro1thn1fedora2sonarsource1suse2