2255111 – (CVE-2023-32725) CVE-2023-32725 zabbix: insufficient validation checks with cookies

Bug 2255111 (CVE-2023-32725) - CVE-2023-32725 zabbix: insufficient validation checks with cookies

Summary: CVE-2023-32725 zabbix: insufficient validation checks with cookies

Keywords:
Status:	NEW
Alias:	CVE-2023-32725
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2255112 2255113
Blocks:	2255040
TreeView+	depends on / blocked

Reported:	2023-12-18 17:54 UTC by Robb Gatica
Modified:	2023-12-19 05:12 UTC (History)
CC List:	0 users
Fixed In Version:	zabbix 6.0.22rc1, zabbix 6.4.7rc1, zabbix 7.0.0alpha4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2023-12-18 17:54:19 UTC

Summary:
Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget.

Description: 
The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user.

Known attack vectors:
Any URL can be configured in a URL widget by a Zabbix user. Zabbix session cookie may become known to the holder of this website and to an attacker. The attacker can use the cookie to pretend to be the Zabbix user who created the report and authorize himself in Zabbix frontend with the privileges of this user. Note that scheduled reports are available to Admin and Super admin user types.

Affected versions:
6.0.0 - 6.0.21, 6.4.0 - 6.4.6, 7.0.0alpha1 - 7.0.0alpha3

Comment 1 Robb Gatica 2023-12-18 17:54:36 UTC

Created zabbix tracking bugs for this issue:

Affects: epel-all [bug 2255112]
Affects: fedora-all [bug 2255113]

Note You need to log in before you can comment on or make changes to this bug.