Zabbix ID |
CVE number |
CVSS score |
Zabbix
?
severity
|
Critical - vulnerabilities that could be easily exploited by a remote unauthenticated actor and lead to Zabbix compromise without requiring user interaction or allow remote unauthorized users to gain Super Admin privileges. Please install required updates or apply workarounds as soon as possible.
High - vulnerabilities that can easily compromise the confidentiality, integrity or availability of Zabbix components. These vulnerabilities allow local or authenticated users to gain additional privileges, allow remote unauthorized users to view information in Zabbix or allow authenticated remote users to execute arbitrary code. Install required updates based on your maintenance window.
Medium - vulnerabilities that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of Zabbix under certain circumstances. Such vulnerabilities could have a Critical or High severity but are less easily exploited and/or affect unlikely configurations. Evaluate possible risks and install updates if it is required.
Low - other vulnerabilities that may have a security impact. Such vulnerabilities require unlikely circumstances to be exploited, or their successful exploitation would give minimal consequences. Evaluate possible risks and install updates if it is required.
Synopsis |
Component/s |
Affected version/s |
Published |
ZBA-2022-04-1 |
- |
- |
- |
Zabbix products are not affected by vulnerabilities in Spring Framework (CVE-2022-22965 - Spring4Shell) and Spring Cloud Function (CVE-2022-22963)
CVE/Advisory number: | - |
Synopsis: | Zabbix products are not affected by vulnerabilities in Spring Framework (CVE-2022-22965 - Spring4Shell) and Spring Cloud Function (CVE-2022-22963) |
Description: | After the Spring cloud vulnerability (CVE-2022-22963) reported on the 1st of April, a new vulnerability called Spring4shell CVE-2022-22965 was reported on the very popular Java framework Spring Core on JDK9+. Zabbix team has evaluated all products and can conclude they are not affected by these vulnerabilities. |
Known Attack Vectors: | - |
Resolution: | - |
Workaraunds: | - |
Acknowledgements: | |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
- |
|
- |
- |
ZBXSEC-90
|
|
- |
-
|
2022 Apr 04 |
ZBA-2022-03-1 |
- |
- |
- |
Zabbix products are not affected by CVE-2018-25032 vulnerability in zlib 1.2.11
CVE/Advisory number: | - |
Synopsis: | Zabbix products are not affected by CVE-2018-25032 vulnerability in zlib 1.2.11 |
Description: | Zabbix team has evaluated all products, which potentially could be affected by a vulnerability identified in Zlib (v.<1.2.11, CVE-2018-25032) and allows memory corruption when deflating (e.g., when compressing) if the input has many distant matches. We can conclude that Zabbix products are not affected by this vulnerability. |
Known Attack Vectors: | - |
Resolution: | - |
Workaraunds: | - |
Acknowledgements: | |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
- |
|
- |
- |
ZBXSEC-87
|
|
- |
-
|
2022 Mar 28 |
ZBV-2022-01-2 |
CVE-2022-24917 |
3.7 |
Low |
Reflected XSS in service configuration window of Zabbix Frontend
CVE/Advisory number: | CVE-2022-24917 |
Synopsis: | Reflected XSS in service configuration window of Zabbix Frontend |
Description: | An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
Known Attack Vectors: | Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
Resolution: | To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
Workaraunds: | - |
Acknowledgements: | - |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Frontend |
4.0.0-4.0.38 | =>4.0.39rc1 |
5.0.0-5.0.20 | =>5.0.21rc1 |
5.4.0-5.4.10 | =>5.4.11rc1 |
|
3.7 |
Low |
ZBX-20680
|
|
Frontend |
4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4.10
|
2022 Feb 02 |
ZBV-2022-01-3 |
CVE-2022-24918 |
3.7 |
Low |
Reflected XSS in item configuration window of Zabbix Frontend
CVE/Advisory number: | CVE-2022-24918 |
Synopsis: | Reflected XSS in item configuration window of Zabbix Frontend |
Description: | An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
Known Attack Vectors: | Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
Resolution: | To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
Workaraunds: | - |
Acknowledgements: | - |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Frontend |
5.0.0-5.0.20 | =>5.0.21rc1 |
5.4.0-5.4.10 | =>5.4.11rc1 |
6.0 | =>6.0.1rc1 |
|
3.7 |
Low |
ZBX-20680
|
|
Frontend |
5.0.0-5.0.20
5.4.0-5.4.10
6.0
|
2022 Feb 02 |
ZBV-2022-01-1 |
CVE-2022-24349 |
4.6 |
Medium |
Reflected XSS in action configuration window of Zabbix Frontend
CVE/Advisory number: | CVE-2022-24349 |
Synopsis: | Reflected XSS in action configuration window of Zabbix Frontend |
Description: | An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. |
Known Attack Vectors: | Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. |
Resolution: | To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
Workaraunds: | The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to the actionconf.php page of Zabbix Frontend and contain suspicious parameters with special symbols. If you have clicked on the suspicious link, do not fill out the opened form. |
Acknowledgements: | - |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Frontend |
4.0.0-4.0.38 | =>4.0.39rc1 |
5.0.0-5.0.20 | =>5.0.21rc1 |
5.4.0-5.4 | =>5.4.11rc1 |
6.0 | =>6.0.1rc1 |
|
4.6 |
Medium |
ZBX-20680
|
|
Frontend |
4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4
6.0
|
2022 Feb 01 |
ZBV-2022-01-4 |
CVE-2022-24919 |
3.7 |
Low |
Reflected XSS in graph configuration window of Zabbix Frontend
CVE/Advisory number: | CVE-2022-24919 |
Synopsis: | Reflected XSS in graph configuration window of Zabbix Frontend |
Description: | An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. |
Known Attack Vectors: | Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. |
Resolution: | To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
Workaraunds: | - |
Acknowledgements: | - |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Frontend |
4.0.0-4.0.38 | =>4.0.39rc1 |
5.0.0-5.0.20 | =>5.0.21rc1 |
5.4.0-5.4.10 | =>5.4.11rc1 |
6.0 | =>6.0.1rc1 |
|
3.7 |
Low |
ZBX-20680
|
|
Frontend |
4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4.10
6.0
|
2022 Feb 01 |
ZBV-2021-12-2 |
CVE-2022-23134 |
3.7 |
Low |
Possible view of the setup pages by unauthenticated users if config file already exists
CVE/Advisory number: | CVE-2022-23134 |
Synopsis: | Possible view of the setup pages by unauthenticated users if config file already exists |
Description: | After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. |
Known Attack Vectors: | Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. |
Resolution: | To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or if immediate update is not possible, follow the presented below workarounds. |
Workaraunds: | If an immediate update is not possible, please remove the setup.php file |
Acknowledgements: | Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Frontend |
5.4.0 - 5.4.8 | 5.4.9 |
6.0.0 - 6.0.0beta1 | 6.0.0beta2 |
|
3.7 |
Low |
ZBX-20384
|
|
Frontend |
5.4.0 - 5.4.8
6.0.0 - 6.0.0beta1
|
2021 Dec 20 |
ZBA-2021-12-4 |
- |
- |
Medium |
Possible remote code execution in Zabbix Java Gateway with logback 1.2.7 and prior versions
CVE/Advisory number: | - |
Synopsis: | Possible remote code execution in Zabbix Java Gateway with logback 1.2.7 and prior versions |
Description: | In Zabbix Java Gateway with logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. |
Known Attack Vectors: | A successful RCE attack with CVE-2021-42550 requires all of the following conditions to be met: write access to zabbix_java_gateway_logback.xml; use of logback versions < 1.2.9; reloading of poisoned configuration data, which implies application restart or scan="true" set prior to the attack. An attacker with such privileges may get remote access to the server with Zabbix Java Gateway |
Resolution: | To remediate CVE-2021-42550 apply the updates listed in the 'Fixed Version' section to appropriate products or if an immediate update is not possible, follow the presented below workarounds. As an additional measure for the fixed versions, we also recommend checking permission to /etc/zabbix/zabbix_java_gateway_logback.xml file and set it read-only, if write permissions are available for “zabbix” user. |
Workaraunds: | If an immediate update is not possible, check permissions for “zabbix” user: /etc/zabbix/zabbix_java_gateway_logback.xml file permissions are set to read-only only; the user cannot restart Zabbix Java Gateway service. |
Acknowledgements: | - |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Java gateway |
2.0-2.X | not supported |
3.0-3.X | not supported |
4.0.0 - 4.0.36 | 4.0.37 |
5.0.18 | 5.0.19 |
5.4.0 -5.4.8 | 5.4.9 |
6.0.0alpha1-6.0.0beta1 | 6.0.0beta2 |
|
- |
Medium |
ZBX-20383
|
|
Java gateway |
2.0-2.X
3.0-3.X
4.0.0 - 4.0.36
5.0.18
5.4.0 -5.4.8
6.0.0alpha1-6.0.0beta1
|
2021 Dec 16 |
ZBV-2021-12-3 |
CVE-2022-23133 |
6.3 |
Medium |
Stored XSS in host groups configuration window in Zabbix Frontend
CVE/Advisory number: | CVE-2022-23133 |
Synopsis: | Stored XSS in host groups configuration window in Zabbix Frontend |
Description: | An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. |
Known Attack Vectors: | When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts. |
Resolution: | To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
Workaraunds: | - |
Acknowledgements: | Zabbix wants to thank Hazem Osama for reporting this issue to us |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Frontend |
5.0.0 – 5.0.18 | 5.0.19 |
5.4.0 – 5.4.8 | 5.4.9 |
6.0.0alpha1 | 6.0.0beta1 |
|
6.3 |
Medium |
ZBX-20388
|
|
Frontend |
5.0.0 – 5.0.18
5.4.0 – 5.4.8
6.0.0alpha1
|
2021 Dec 08 |
ZBV-2021-12-5 |
CVE-2022-23132 |
3.3 |
Low |
Incorrect permissions of [/var/run/zabbix] forces dac_override
CVE/Advisory number: | CVE-2022-23132 |
Synopsis: | Incorrect permissions of [/var/run/zabbix] forces dac_override |
Description: | During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level. |
Known Attack Vectors: | - |
Resolution: | To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products. |
Workaraunds: | - |
Acknowledgements: | Zabbix wants to thank Brian J. Murrell for reporting this issue to us |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Proxy, Server |
4.0.0 - 4.0.36 | no fixes provided |
5.0.18 | 5.0.19 |
5.4.0 – 5.4.8 | 5.4.9 |
6.0.0alpha1-6.0.0alpha7 | 6.0.0beta1 |
|
3.3 |
Low |
ZBX-20341
|
|
Proxy, Server |
4.0.0 - 4.0.36
5.0.18
5.4.0 – 5.4.8
6.0.0alpha1-6.0.0alpha7
|
2021 Dec 01 |
ZBV-2021-11-1 |
CVE-2022-23131 |
9.1 |
Critical |
Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML
CVE/Advisory number: | CVE-2022-23131 |
Synopsis: | Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML |
Description: | In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. |
Known Attack Vectors: | Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default). |
Resolution: | To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or if an immediate update is not possible, follow the presented below workarounds. |
Workaraunds: | Disable SAML authentication |
Acknowledgements: | Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us |
Component/s |
Affected version/s | Fix version/s |
|
CVSS score |
Zabbix severity |
Tickets |
Frontend |
5.4.0 - 5.4.8 | 5.4.9 |
6.0.0alpha1 | 6.0.0beta1 |
|
9.1 |
Critical |
ZBX-20350
|
|
Frontend |
5.4.0 - 5.4.8
6.0.0alpha1
|
2021 Nov 22 |