[CVE-2022-23131] Unsafe Session Storage to unauthenticate Zabbix Frontend

Severity: HIGH

CVE Score: 9.1

CVE-2022-23131: Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Impact : escalate privileges and gain admin access to Zabbix Frontend.

POC public in the wild and attacker is scanning for Zabbix Web Frontend

Top scanners
Affected version:
Zabbix Web Frontend: 5.4.0 - 5.4.8, 6.0.0alpha1, and 4.0.36

Mitigation:
- Upgrade Zabbix Web Frontend to 6.0.0beta2, 5.4.9, 5.0.19 or 4.0.37

- Restrict Zabbix Web Frontend to local,VPN and access server.

Reference:
https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage

https://portswigger.net/daily-swig/critical-vulnerabilities-in-zabbix-web-frontend-allow-authentication-bypass-code-execution-on-servers

https://www.zabbix.com/security_advisories

Cookie Settings

[CVE-2022-23131] Unsafe Session Storage to unauthenticate Zabbix Frontend​​​​​​​

[CVE-2022-23131] Unsafe Session Storage to unauthenticate Zabbix Frontend