Bug 2255111 (CVE-2023-32725) - CVE-2023-32725 zabbix: insufficient validation checks with cookies
Summary: CVE-2023-32725 zabbix: insufficient validation checks with cookies
Keywords:
Status: NEW
Alias: CVE-2023-32725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2255112 2255113
Blocks: 2255040
TreeView+ depends on / blocked
 
Reported: 2023-12-18 17:54 UTC by Robb Gatica
Modified: 2023-12-19 05:12 UTC (History)
0 users

Fixed In Version: zabbix 6.0.22rc1, zabbix 6.4.7rc1, zabbix 7.0.0alpha4
Doc Type: ---
Doc Text:
A flaw was discovered in Zabbix. When a particular session cookie is issued to a user for testing or executing scheduled reports, a remote attacker may use that cookie to access the font end with the privileges of the user.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Robb Gatica 2023-12-18 17:54:19 UTC
Summary:
Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget.

Description: 
The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user.

Known attack vectors:
Any URL can be configured in a URL widget by a Zabbix user. Zabbix session cookie may become known to the holder of this website and to an attacker. The attacker can use the cookie to pretend to be the Zabbix user who created the report and authorize himself in Zabbix frontend with the privileges of this user. Note that scheduled reports are available to Admin and Super admin user types.

Affected versions:
6.0.0 - 6.0.21, 6.4.0 - 6.4.6, 7.0.0alpha1 - 7.0.0alpha3

Comment 1 Robb Gatica 2023-12-18 17:54:36 UTC
Created zabbix tracking bugs for this issue:

Affects: epel-all [bug 2255112]
Affects: fedora-all [bug 2255113]


Note You need to log in before you can comment on or make changes to this bug.