| Zabbix ID |
CVE number |
CVSS score |
Zabbix
?
severity
|
Critical - vulnerabilities that could be easily exploited by a remote unauthenticated actor and lead to Zabbix compromise without requiring user interaction or allow remote unauthorized users to gain Super Admin privileges. Please install required updates or apply workarounds as soon as possible.
High - vulnerabilities that can easily compromise the confidentiality, integrity or availability of Zabbix components. These vulnerabilities allow local or authenticated users to gain additional privileges, allow remote unauthorized users to view information in Zabbix or allow authenticated remote users to execute arbitrary code. Install required updates based on your maintenance window.
Medium - vulnerabilities that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of Zabbix under certain circumstances. Such vulnerabilities could have a Critical or High severity but are less easily exploited and/or affect unlikely configurations. Evaluate possible risks and install updates if it is required.
Low - other vulnerabilities that may have a security impact. Such vulnerabilities require unlikely circumstances to be exploited, or their successful exploitation would give minimal consequences. Evaluate possible risks and install updates if it is required.
Synopsis |
Component/s |
Affected version/s |
Published |
| ZBV-2023-07-27-9
|
CVE-2023-29458 |
5.9 |
Medium |
Duktape 2.6 bug crashes JavaScript putting too many values in valstack.
| CVE/Advisory number: |
CVE-2023-29458 |
| Synopsis: |
Duktape 2.6 bug crashes JavaScript putting too many values in valstack. |
| Description: |
Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use. |
| Known Attack Vectors: |
This vulnerability could be uses to intentionally add too many values into valstack to crush JavaScript. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Proxy |
| 5.0.0-5.0.34 |
5.0.35rc1 |
| 6.0.0-6.0.17 |
6.0.18rc1 |
| 6.4.0-6.4.2 |
6.4.3rc1 |
| 7.0.0alpha1 |
7.0.0alpha1 |
|
5.9
|
Medium
|
ZBX-22989
|
|
Server,
Proxy |
5.0.0-5.0.34
6.0.0-6.0.17
6.4.0-6.4.2
7.0.0alpha1
|
2001 Jan 01 |
| ZBV-2023-07-27-8
|
CVE-2023-29457 |
6.3 |
Medium |
Insufficient validation of Action form input fields
| CVE/Advisory number: |
CVE-2023-29457 |
| Synopsis: |
Insufficient validation of Action form input fields |
| Description: |
Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script can be activated through Action form fields, which can be sent as request to a website with a vulnerability that enables execution of malicious scripts. |
| Known Attack Vectors: |
Using reflected XSS session cookies could be revealed, enabling a perpetrator to impersonate valid users and abuse their private accounts. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.45 |
4.0.46rc1 |
| 5.0.0-5.0.34 |
5.0.35rc1 |
| 6.0.0-6.0.17 |
6.0.18rc1 |
|
6.3
|
Medium
|
ZBX-22988
|
|
Frontend |
4.0.0-4.0.45
5.0.0-5.0.34
6.0.0-6.0.17
|
2023 Jun 16 |
| ZBV-2023-07-27-7
|
CVE-2023-29456 |
5.7 |
Medium |
Inefficient URL schema validation
| CVE/Advisory number: |
CVE-2023-29456 |
| Synopsis: |
Inefficient URL schema validation |
| Description: |
URL validation scheme receives input from a user and then parses it to identify its various components. The validation scheme can ensure that all URL components comply with internet standards. |
| Known Attack Vectors: |
This Inefficient URL schema validation leads to the XSS in maps, triggers, and other places where links can be added. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.46 |
4.0.47rc1 |
| 5.0.0-5.0.35 |
5.0.36rc1 |
| 6.0.0-6.0.18 |
6.0.19rc1 |
| 6.4.0-6.4.3 |
6.4.4rc1 |
| 7.0.0alpha1 |
7.0.0alpha2 |
|
5.7
|
Medium
|
ZBX-22987
|
|
Frontend |
4.0.0-4.0.46
5.0.0-5.0.35
6.0.0-6.0.18
6.4.0-6.4.3
7.0.0alpha1
|
2023 Jun 16 |
| ZBV-2023-07-27-6
|
CVE-2023-29455 |
5.4 |
Medium |
Reflected XSS in several fields of graph form
| CVE/Advisory number: |
CVE-2023-29455 |
| Synopsis: |
Reflected XSS in several fields of graph form |
| Description: |
Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. |
| Known Attack Vectors: |
Using this vulnerability attacker can pass malicious code as GET request to graph.php and system will save it and will execute when current graph page is opened. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0–4.0.45 |
4.0.46rc1 |
| 5.0.0–5.0.33 |
5.0.35rc1 |
|
5.4
|
Medium
|
ZBX-22986
|
|
Frontend |
4.0.0–4.0.45
5.0.0–5.0.33
|
2023 Jun 16 |
| ZBV-2023-07-27-5
|
CVE-2023-29454 |
5.4 |
Medium |
Persistent XSS in the user form
| CVE/Advisory number: |
CVE-2023-29454 |
| Synopsis: |
Persistent XSS in the user form |
| Description: |
Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages. |
| Known Attack Vectors: |
Vulnerability was found on "Users" section in "Media" tab in "Send to" form field. When new media is created with malicious code included into field "Send to" then it will execute when editing the same media. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.45 |
4.0.46rc1 |
| 5.0.0-5.0.33 |
5.0.35rc1 |
| 6.0.0-6.0.16 |
6.0.18rc1 |
|
5.4
|
Medium
|
ZBX-22985
|
|
Frontend |
4.0.0-4.0.45
5.0.0-5.0.33
6.0.0-6.0.16
|
2023 Jun 16 |
| ZBV-2023-07-27-4
|
CVE-2023-29452 |
5.5 |
Medium |
Remove possibility to add html into Geomap attribution field
| CVE/Advisory number: |
CVE-2023-29452 |
| Synopsis: |
Remove possibility to add html into Geomap attribution field |
| Description: |
Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider. |
| Known Attack Vectors: |
Information that is inserted into this field “Attribution text” is displayed in a small text box on the map. Malicious code can be entered into field and executed when user views map. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 6.0.0-6.0.17 |
6.0.18rc1 |
| 6.4.0-6.4.2 |
6.4.2rc1 |
| 7.0.0-7.0.0alpha1 |
7.0.0alpha1 |
|
5.5
|
Medium
|
ZBX-22981
|
|
Frontend |
6.0.0-6.0.17
6.4.0-6.4.2
7.0.0-7.0.0alpha1
|
2023 Jun 16 |
| ZBV-2023-07-27-3
|
CVE-2023-29451 |
4.7 |
Medium |
Denial of service caused by a bug in the JSON parser
| CVE/Advisory number: |
CVE-2023-29451 |
| Synopsis: |
Denial of service caused by a bug in the JSON parser |
| Description: |
Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy. |
| Known Attack Vectors: |
Buffer overrun causing Denial of service |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Proxy |
| 6.0-6.0.14 |
6.0.15rc1 |
| 6.2-6.2.8 |
6.2.9rc2 |
| 6.4-6.4.0 |
6.4.1rc2 |
| 7.0.0alpha1 |
7.0.0alpha1 |
|
4.7
|
Medium
|
ZBX-22587
|
|
Server,
Proxy |
6.0-6.0.14
6.2-6.2.8
6.4-6.4.0
7.0.0alpha1
|
2023 Mar 10 |
| ZBV-2023-07-27-2
|
CVE-2023-29450 |
8.5 |
High |
Unauthorized limited filesystem access from preprocessing
| CVE/Advisory number: |
CVE-2023-29450 |
| Synopsis: |
Unauthorized limited filesystem access from preprocessing |
| Description: |
JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. |
| Known Attack Vectors: |
Information disclosure |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Proxy |
| 5.0-5.0.31 |
5.0.32rc1 |
| 6.0-6.0.13 |
6.0.14rc1 (6.0.16 is recommended) |
| 6.2-6.2.7 |
6.2.8rc1 |
| 6.4-6.4.0rc1 |
6.4.0rc2 |
|
8.5
|
High
|
ZBX-22588
|
|
Server,
Proxy |
5.0-5.0.31
6.0-6.0.13
6.2-6.2.7
6.4-6.4.0rc1
|
2023 Feb 23 |
| ZBV-2023-07-27-1
|
CVE-2023-29449 |
5.9 |
Medium |
Limited control of resource utilization in JS preprocessing
| CVE/Advisory number: |
CVE-2023-29449 |
| Synopsis: |
Limited control of resource utilization in JS preprocessing |
| Description: |
JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access. |
| Known Attack Vectors: |
Allocation of resources without limits or throttling |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
None |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Server,
Proxy |
| 4.4.4-4.4.* |
- |
| 5.0.0alpha1-5.0.31 |
5.0.32rc1 |
| 5.2.0alpha1-5.2.* |
- |
| 5.4.0alpha1-5.4.* |
- |
| 6.0.0alpha1-6.0.13 |
6.0.14rc1 (6.0.16 is recommended) |
| 6.2.0alpha1-6.2.7 |
6.2.8rc1 |
| 6.4.0alpha1-6.4.0beta6 |
6.4.0rc2 |
|
5.9
|
Medium
|
ZBX-22589
|
|
Server,
Proxy |
4.4.4-4.4.*
5.0.0alpha1-5.0.31
5.2.0alpha1-5.2.*
5.4.0alpha1-5.4.*
6.0.0alpha1-6.0.13
6.2.0alpha1-6.2.7
6.4.0alpha1-6.4.0beta6
|
2023 Jan 06 |
| ZBV-2022-12-1
|
CVE-2022-43516 |
6.5 |
Medium |
Zabbix Agent installer adds “allow all TCP any any” firewall rule
| CVE/Advisory number: |
CVE-2022-43516 |
| Synopsis: |
Zabbix Agent installer adds “allow all TCP any any” firewall rule |
| Description: |
A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI) |
| Known Attack Vectors: |
An attacker can connect to all TCP services running on the machine with Zabbix Agent |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or use the workaround |
| Workaraunds: |
If an immediate update is not possible, change the applied local firewall rule to allow the agent port only. |
| Acknowledgements: |
Joshua PowellNishiyama |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Agent,
Agent2 |
| MSI pkg. (29.oct.22 - 2.dec.22) |
MSI pkg. => 3.dec.22 |
|
6.5
|
Medium
|
ZBX-22002
|
|
Agent,
Agent2 |
MSI pkg. (29.oct.22 - 2.dec.22)
|
2022 Nov 30 |
| ZBA-2022-10-1
|
- |
- |
High |
Some Zabbix products are affected by CVE-2022-3786 and CVE-2022-3602 vulnerabilities in OpenSSL
| CVE/Advisory number: |
- |
| Synopsis: |
Some Zabbix products are affected by CVE-2022-3786 and CVE-2022-3602 vulnerabilities in OpenSSL |
| Description: |
On October 25, 2022, OpenSSL teams announced a new release of OpenSSL (version 3.0.7) to address high-security vulnerabilities. The specific vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have no exploits yet, but analysts and businesses in the web security field encourage to update OpenSSL. |
| Known Attack Vectors: |
A possible buffer overrun via X.509 certificate verification, specifically in name constraint checking, on Zabbix component which supports OpenSSL. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. |
| Resolution: |
What you need to know now:
-
Zabbix Sources fully rely on OpenSSL installed in the operating system. If the system has OpenSSL 1.1.1 - 1.0.2 installed, then your Zabbix components are not affected by these vulnerabilities. If the system has OpenSSL versions 3.0.0 to 3.0.6 installed, then it is affected by this issue and OpenSSL should be updated.
OpenSSL version used by Zabbix can be determined using command line option -V:
$ zabbix_server -V
...
Compiled with OpenSSL 3.0.7 1 Nov 2022
Running with OpenSSL 3.0.7 1 Nov 2022
Similar commands for other components:
$ zabbix_proxy -V
$ zabbix_agentd -V
$ zabbix_get -V
$ zabbix_sender -V
If the lines "Compiled with ..." and "Running with ..." are not shown in output, then your Zabbix has been compiled without OpenSSL support.
-
Zabbix Appliances are not affected by the vulnerabilities, because they have been built without OpenSSL v.3.X.
-
Zabbix Agents (except agents for Solaris) are not affected by the vulnerabilities, because they have been compiled without OpenSSL v.3.X. If you use Zabbix agent <= v6.0.8 (10, 11) for Solaris, our recommendation is to update it till v6.0.9, which includes OpenSSL v. 3.0.7.
-
Zabbix Containers are affected by the vulnerabilities and utilized OpenSSL <= v. 3.0.6, so we have updated them on the 1st of November, please use them.
-
Zabbix Packages are not affected by the vulnerabilities, because they have been compiled without OpenSSL v.3.X.
|
| Workaraunds: |
If an immediate update is not possible, review network access to the vulnerable components and whitelist it. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Agent,
Containers,
Packages |
| <=v6.0.8 (Solaris) |
>=v6.0.9 (Solaris) |
| all versions <=31/Oct/2022 |
all versions >=1/Nov/2022 |
|
-
|
High
|
ZBXSEC-128
|
|
Agent,
Containers,
Packages |
<=v6.0.8 (Solaris)
all versions <=31/Oct/2022
|
2022 Oct 31 |
| ZBV-2022-10-1
|
CVE-2022-43515 |
5.3 |
Medium |
X-Forwarded-For header is active by default causes access to Zabbix sites in maintenance mode
| CVE/Advisory number: |
CVE-2022-43515 |
| Synopsis: |
X-Forwarded-For header is active by default causes access to Zabbix sites in maintenance mode |
| Description: |
Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. |
| Known Attack Vectors: |
An attacker can fabricate X-Forwarded-For header and thereby gain access to Zabbix Frontend in maintenance mode. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or use the workaround |
| Workaraunds: |
If an immediate update is not possible, limit network access to Zabbix Frontend during the maintenance window. |
| Acknowledgements: |
osman1337 |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.44 |
- |
| 5.0.0-5.0.29 |
=>5.0.30rc1 |
| 6.0.0-6.0.9 |
=>6.0.11rc1 |
| 6.2.0-6.2.4 |
=>6.2.5rc1 |
|
5.3
|
Medium
|
ZBX-22050
|
|
Frontend |
4.0.0-4.0.44
5.0.0-5.0.29
6.0.0-6.0.9
6.2.0-6.2.4
|
2022 Oct 18 |
| ZBV-2022-09-1
|
CVE-2022-46768 |
5.9 |
Medium |
File name information disclosure vulnerability in Zabbix Web Service Report Generation
| CVE/Advisory number: |
CVE-2022-46768 |
| Synopsis: |
File name information disclosure vulnerability in Zabbix Web Service Report Generation |
| Description: |
Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files. |
| Known Attack Vectors: |
An attacker can read arbitrary files on the file system without authentication with 2 pre-conditions: 1. Zabbix web service has to allow the access from attacker's IP in the zabbix_web_service.conf file; 2. Victim server has to install Google Chrome |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or use the workaround |
| Workaraunds: |
If an immediate update is not possible, limit network access to Zabbix Web Service Report Generation. |
| Acknowledgements: |
Trend Micro ZDI |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Report generation |
| 6.0.0-6.0.11 |
=>6.0.12rc1 |
| 6.2.0-6.2.5 |
=>6.2.6rc1 |
|
5.9
|
Medium
|
ZBX-22087
|
|
Report generation |
6.0.0-6.0.11
6.2.0-6.2.5
|
2022 Sep 21 |
| ZBA-2022-07-1
|
- |
- |
- |
Zabbix products are not affected by CVE-2022-2068 vulnerability in OpenSSL
| CVE/Advisory number: |
- |
| Synopsis: |
Zabbix products are not affected by CVE-2022-2068 vulnerability in OpenSSL |
| Description: |
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review and reported on 13 Jun 2022 (CVE-2022-2068). Zabbix team has evaluated all products and can conclude they are not affected by this vulnerability. |
| Known Attack Vectors: |
- |
| Resolution: |
- |
| Workaraunds: |
- |
| Acknowledgements: |
|
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| - |
|
-
|
-
|
ZBXSEC-105
|
|
- |
-
|
2022 Jul 26 |
| ZBV-2022-07-1
|
CVE-2022-40626 |
4.8 |
Medium |
Reflected XSS in action configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-40626 |
| Synopsis: |
Reflected XSS in action configuration window of Zabbix Frontend |
| Description: |
An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users. |
| Known Attack Vectors: |
When prepared link with malicious code is sent to a user with privileged rights in Zabbix and the user follows the link, the XSS payload will create a fake account with predefined login, password and role in Zabbix Frontend. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to Zabbix Frontend and contain suspicious parameters with special symbols. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 6.0.0-6.0.6 |
=>6.0.7rc1 |
| 6.2.0 |
=>6.2.1rc1 |
|
4.8
|
Medium
|
ZBX-21350
|
|
Frontend |
6.0.0-6.0.6
6.2.0
|
2022 Jul 08 |
| ZBV-2022-04-1
|
CVE-2022-35229 |
3.7 |
Low |
Reflected XSS in discovery page of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-35229 |
| Synopsis: |
Reflected XSS in discovery page of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to the discoveryconf.php page of Zabbix Frontend and contain suspicious parameters with special symbols. If you have clicked on the suspicious link, do not fill out the opened form. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| =>4.0.0 |
=>4.0.43rc1 |
| 5.0.0-5.0.24 |
=>5.0.25 |
| 6.0.0-6.0.4 |
=>6.0.5 |
| 6.2alpha1-6.2beta3 |
=>6.2.0rc1 |
|
3.7
|
Low
|
ZBX-21306
|
|
Frontend |
=>4.0.0
5.0.0-5.0.24
6.0.0-6.0.4
6.2alpha1-6.2beta3
|
2022 Apr 27 |
| ZBV-2022-04-2
|
CVE-2022-35230 |
3.7 |
Low |
Reflected XSS in graphs page of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-35230 |
| Synopsis: |
Reflected XSS in graphs page of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to the graphs.php page of Zabbix Frontend and contain suspicious parameters with special symbols. If you have clicked on the suspicious link, do not fill out the opened form |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| =>4.0.23rc1 |
=>4.0.43rc1 |
| 5.0.0-5.0.24 |
=>5.0.25rc1 |
|
3.7
|
Low
|
ZBX-21305
|
|
Frontend |
=>4.0.23rc1
5.0.0-5.0.24
|
2022 Apr 27 |
| ZBA-2022-04-1
|
- |
- |
- |
Zabbix products are not affected by vulnerabilities in Spring Framework (CVE-2022-22965 - Spring4Shell) and Spring Cloud Function (CVE-2022-22963)
| CVE/Advisory number: |
- |
| Synopsis: |
Zabbix products are not affected by vulnerabilities in Spring Framework (CVE-2022-22965 - Spring4Shell) and Spring Cloud Function (CVE-2022-22963) |
| Description: |
After the Spring cloud vulnerability (CVE-2022-22963) reported on the 1st of April, a new vulnerability called Spring4shell CVE-2022-22965 was reported on the very popular Java framework Spring Core on JDK9+. Zabbix team has evaluated all products and can conclude they are not affected by these vulnerabilities. |
| Known Attack Vectors: |
- |
| Resolution: |
- |
| Workaraunds: |
- |
| Acknowledgements: |
|
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| - |
|
-
|
-
|
ZBXSEC-90
|
|
- |
-
|
2022 Apr 04 |
| ZBA-2022-03-1
|
- |
- |
- |
Zabbix products are not affected by CVE-2018-25032 vulnerability in zlib 1.2.11
| CVE/Advisory number: |
- |
| Synopsis: |
Zabbix products are not affected by CVE-2018-25032 vulnerability in zlib 1.2.11 |
| Description: |
Zabbix team has evaluated all products, which potentially could be affected by a vulnerability identified in Zlib (v.<1.2.11, CVE-2018-25032) and allows memory corruption when deflating (e.g., when compressing) if the input has many distant matches. We can conclude that Zabbix products are not affected by this vulnerability. |
| Known Attack Vectors: |
- |
| Resolution: |
- |
| Workaraunds: |
- |
| Acknowledgements: |
|
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| - |
|
-
|
-
|
ZBXSEC-87
|
|
- |
-
|
2022 Mar 28 |
| ZBV-2022-01-2
|
CVE-2022-24917 |
3.7 |
Low |
Reflected XSS in service configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-24917 |
| Synopsis: |
Reflected XSS in service configuration window of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.38 |
=>4.0.39rc1 |
| 5.0.0-5.0.20 |
=>5.0.21rc1 |
| 5.4.0-5.4.10 |
=>5.4.11rc1 |
|
3.7
|
Low
|
ZBX-20680
|
|
Frontend |
4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4.10
|
2022 Feb 02 |
| ZBV-2022-01-3
|
CVE-2022-24918 |
3.7 |
Low |
Reflected XSS in item configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-24918 |
| Synopsis: |
Reflected XSS in item configuration window of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.0.0-5.0.20 |
=>5.0.21rc1 |
| 5.4.0-5.4.10 |
=>5.4.11rc1 |
| 6.0 |
=>6.0.1rc1 |
|
3.7
|
Low
|
ZBX-20680
|
|
Frontend |
5.0.0-5.0.20
5.4.0-5.4.10
6.0
|
2022 Feb 02 |
| ZBV-2022-01-1
|
CVE-2022-24349 |
4.6 |
Medium |
Reflected XSS in action configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-24349 |
| Synopsis: |
Reflected XSS in action configuration window of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to the actionconf.php page of Zabbix Frontend and contain suspicious parameters with special symbols. If you have clicked on the suspicious link, do not fill out the opened form. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.38 |
=>4.0.39rc1 |
| 5.0.0-5.0.20 |
=>5.0.21rc1 |
| 5.4.0-5.4 |
=>5.4.11rc1 |
| 6.0 |
=>6.0.1rc1 |
|
4.6
|
Medium
|
ZBX-20680
|
|
Frontend |
4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4
6.0
|
2022 Feb 01 |
| ZBV-2022-01-4
|
CVE-2022-24919 |
3.7 |
Low |
Reflected XSS in graph configuration window of Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-24919 |
| Synopsis: |
Reflected XSS in graph configuration window of Zabbix Frontend |
| Description: |
An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
| Known Attack Vectors: |
Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 4.0.0-4.0.38 |
=>4.0.39rc1 |
| 5.0.0-5.0.20 |
=>5.0.21rc1 |
| 5.4.0-5.4.10 |
=>5.4.11rc1 |
| 6.0 |
=>6.0.1rc1 |
|
3.7
|
Low
|
ZBX-20680
|
|
Frontend |
4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4.10
6.0
|
2022 Feb 01 |
| ZBV-2021-12-2
|
CVE-2022-23134 |
3.7 |
Low |
Possible view of the setup pages by unauthenticated users if config file already exists
| CVE/Advisory number: |
CVE-2022-23134 |
| Synopsis: |
Possible view of the setup pages by unauthenticated users if config file already exists |
| Description: |
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. |
| Known Attack Vectors: |
Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or if immediate update is not possible, follow the presented below workarounds. |
| Workaraunds: |
If an immediate update is not possible, please remove the setup.php file |
| Acknowledgements: |
Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.4.0 - 5.4.8 |
5.4.9 |
| 6.0.0 - 6.0.0beta1 |
6.0.0beta2 |
|
3.7
|
Low
|
ZBX-20384
|
|
Frontend |
5.4.0 - 5.4.8
6.0.0 - 6.0.0beta1
|
2021 Dec 20 |
| ZBA-2021-12-4
|
- |
- |
Medium |
Possible remote code execution in Zabbix Java Gateway with logback 1.2.7 and prior versions
| CVE/Advisory number: |
- |
| Synopsis: |
Possible remote code execution in Zabbix Java Gateway with logback 1.2.7 and prior versions |
| Description: |
In Zabbix Java Gateway with logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. |
| Known Attack Vectors: |
A successful RCE attack with CVE-2021-42550 requires all of the following conditions to be met: write access to zabbix_java_gateway_logback.xml; use of logback versions < 1.2.9; reloading of poisoned configuration data, which implies application restart or scan="true" set prior to the attack. An attacker with such privileges may get remote access to the server with Zabbix Java Gateway |
| Resolution: |
To remediate CVE-2021-42550 apply the updates listed in the 'Fixed Version' section to appropriate products or if an immediate update is not possible, follow the presented below workarounds. As an additional measure for the fixed versions, we also recommend checking permission to /etc/zabbix/zabbix_java_gateway_logback.xml file and set it read-only, if write permissions are available for “zabbix” user. |
| Workaraunds: |
If an immediate update is not possible, check permissions for “zabbix” user: /etc/zabbix/zabbix_java_gateway_logback.xml file permissions are set to read-only only; the user cannot restart Zabbix Java Gateway service. |
| Acknowledgements: |
- |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Java gateway |
| 2.0-2.X |
not supported |
| 3.0-3.X |
not supported |
| 4.0.0 - 4.0.36 |
4.0.37 |
| 5.0.18 |
5.0.19 |
| 5.4.0 -5.4.8 |
5.4.9 |
| 6.0.0alpha1-6.0.0beta1 |
6.0.0beta2 |
|
-
|
Medium
|
ZBX-20383
|
|
Java gateway |
2.0-2.X
3.0-3.X
4.0.0 - 4.0.36
5.0.18
5.4.0 -5.4.8
6.0.0alpha1-6.0.0beta1
|
2021 Dec 16 |
| ZBV-2021-12-3
|
CVE-2022-23133 |
6.3 |
Medium |
Stored XSS in host groups configuration window in Zabbix Frontend
| CVE/Advisory number: |
CVE-2022-23133 |
| Synopsis: |
Stored XSS in host groups configuration window in Zabbix Frontend |
| Description: |
An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. |
| Known Attack Vectors: |
When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts. |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank Hazem Osama for reporting this issue to us |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.0.0 – 5.0.18 |
5.0.19 |
| 5.4.0 – 5.4.8 |
5.4.9 |
| 6.0.0alpha1 |
6.0.0beta1 |
|
6.3
|
Medium
|
ZBX-20388
|
|
Frontend |
5.0.0 – 5.0.18
5.4.0 – 5.4.8
6.0.0alpha1
|
2021 Dec 08 |
| ZBV-2021-12-5
|
CVE-2022-23132 |
3.3 |
Low |
Incorrect permissions of [/var/run/zabbix] forces dac_override
| CVE/Advisory number: |
CVE-2022-23132 |
| Synopsis: |
Incorrect permissions of [/var/run/zabbix] forces dac_override |
| Description: |
During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level. |
| Known Attack Vectors: |
- |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
| Workaraunds: |
- |
| Acknowledgements: |
Zabbix wants to thank Brian J. Murrell for reporting this issue to us |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Proxy,
Server |
| 4.0.0 - 4.0.36 |
no fixes provided |
| 5.0.18 |
5.0.19 |
| 5.4.0 – 5.4.8 |
5.4.9 |
| 6.0.0alpha1-6.0.0alpha7 |
6.0.0beta1 |
|
3.3
|
Low
|
ZBX-20341
|
|
Proxy,
Server |
4.0.0 - 4.0.36
5.0.18
5.4.0 – 5.4.8
6.0.0alpha1-6.0.0alpha7
|
2021 Dec 01 |
| ZBV-2021-11-1
|
CVE-2022-23131 |
9.1 |
Critical |
Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML
| CVE/Advisory number: |
CVE-2022-23131 |
| Synopsis: |
Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML |
| Description: |
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. |
| Known Attack Vectors: |
Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default). |
| Resolution: |
To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or if an immediate update is not possible, follow the presented below workarounds. |
| Workaraunds: |
Disable SAML authentication |
| Acknowledgements: |
Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us |
| Component/s |
| Affected version/s |
Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
| Frontend |
| 5.4.0 - 5.4.8 |
5.4.9 |
| 6.0.0alpha1 |
6.0.0beta1 |
|
9.1
|
Critical
|
ZBX-20350
|
|
Frontend |
5.4.0 - 5.4.8
6.0.0alpha1
|
2021 Nov 22 |