Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Debian LTS: DLA-3909-1 critical: zabbix XSS and code execution issues

debian lts
Calendar Grey October 3, 2024
Dist Debian Esm H88
Multiple weaknesses identified in Zabbix create risks such as XSS, unauthorized code execution, and data leakage. Prompt update is advised.
Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially among other effects allowing XSS, Code Execution, information disclosure...

Summary

As the version uploaded is a new upstrea maintainance version, there a a
few minor new features and behavioural changes with this version. Please
see below for further information.

CVE-2022-23132

During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is
in use to access PID files in [/var/run/zabbix] folder. In this case,
Zabbix Proxy or Server processes can bypass file read, write and execute
permissions check on the file system level

CVE-2022-23133

An authenticated user can create a hosts group from the configuration
with XSS payload, which will be available for other users. When XSS is
stored by an authenticated malicious actor and other users try to search
for groups during new host creation, the XSS payload will fire and the
actor can steal session cookies and perform session hijacking to
impersonate users or take over their accounts.

CVE-2022-24349

An authenticated user can create a hosts group from the configuration

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: zabbix
Version: 1:5.0.44+dfsg-1+deb11u1
CVE ID: CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917
Debian Bug: 1014992 1014994 1026847 1053877 1055175 1078553

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here