CVE-2022-23131

Zabbix Frontend Authentication Bypass Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

En el caso de las instancias en las que la autenticación SAML SSO está habilitada (no por defecto), los datos de la sesión pueden ser modificados por un actor malicioso, ya que un login de usuario almacenado en la sesión no fue verificado. Un actor malicioso no autenticado puede explotar este problema para escalar privilegios y conseguir acceso de administrador a Zabbix Frontend. Para llevar a cabo el ataque, es requerido que la autenticación SAML esté habilitada y que el actor conozca el nombre de usuario de Zabbix (o que use la cuenta de invitado, que está deshabilitada por defecto)

Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML.

*Credits: Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-11 CVE Reserved
2022-01-13 CVE Published
2022-02-19 First Exploit
2022-02-22 Exploited in Wild
2022-03-08 KEV Due Date
2024-09-16 CVE Updated
2024-11-21 EPSS Updated

CWE

CWE-290: Authentication Bypass by Spoofing

CAPEC

References (9)

URL	Tag	Source

URL	Date	SRC
https://github.com/jweny/CVE-2022-23131	2022-02-21
https://github.com/kh4sh3i/CVE-2022-23131	2022-03-31
https://github.com/Kazaf6s/CVE-2022-23131	2022-04-02
https://github.com/1mxml/CVE-2022-23131	2022-02-19
https://github.com/r10lab/CVE-2022-23131	2023-10-24
https://github.com/trganda/CVE-2022-23131	2022-02-24
https://github.com/Vulnmachines/Zabbix-CVE-2022-23131	2022-09-02
https://github.com/pykiller/CVE-2022-23131	2022-02-24

URL	Date	SRC
https://support.zabbix.com/browse/ZBX-20350	2022-01-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zabbix Search vendor "Zabbix"		Zabbix Search vendor "Zabbix" for product "Zabbix"				>= 5.4.0 <= 5.4.8 Search vendor "Zabbix" for product "Zabbix" and version " >= 5.4.0 <= 5.4.8"		-		Affected
Zabbix Search vendor "Zabbix"		Zabbix Search vendor "Zabbix" for product "Zabbix"				6.0.0 Search vendor "Zabbix" for product "Zabbix" and version "6.0.0"		alpha1		Affected