CVE-2022-23134

high-risk
Published 2022-01-13

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

Do I need to act?

!
93.1% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

Affected Products (12)

Affected Vendors

Debian Fedoraproject Zabbix

References (9)

Mailing List https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html
Release Notes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Release Notes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Issue Tracking https://support.zabbix.com/browse/ZBX-20384
Mailing List https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html
Release Notes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Release Notes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Issue Tracking https://support.zabbix.com/browse/ZBX-20384
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-...
57
/ 100
high-risk
Severity 13/34 · Low
Exploitability 27/34 · High
Exposure 17/34 · Moderate