CVE-2022-23131

Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML

CVSS 9.1 CRITICALEPSS 95.7%● KEVCWE-290

In short

When SAML login is enabled in Zabbix, attackers can modify session data on their device to impersonate any user and gain admin access to the monitoring system without knowing their password.

Technical detail

CVE-2022-23131 exploits insufficient session validation in Zabbix Frontend when SAML SSO is configured; an unauthenticated attacker can manipulate client-side session storage to inject arbitrary user identities, bypassing authentication checks and escalating privileges to administrator level. Attack requires SAML to be enabled and knowledge of a valid username (or abuse of default guest account if enabled).

Summary generated and translated by AI from the official description.

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

Zabbix · Frontend

public PoCs found — 22

githubgithub.com/Mr-xn/cve-2022-23131★ 154 githubgithub.com/jweny/CVE-2022-23131★ 95 githubgithub.com/L0ading-x/cve-2022-23131★ 29 githubgithub.com/kh4sh3i/CVE-2022-23131★ 15 githubgithub.com/Kazaf6s/CVE-2022-23131★ 11 githubgithub.com/random-robbie/cve-2022-23131-exp★ 8 githubgithub.com/SCAMagic/CVE-2022-23131poc-exp-zabbix-★ 8 githubgithub.com/fork-bombed/CVE-2022-23131★ 4 githubgithub.com/1mxml/CVE-2022-23131★ 3 githubgithub.com/davidzzo23/CVE-2022-23131★ 3 githubgithub.com/pykiller/CVE-2022-23131★ 2 githubgithub.com/Vulnmachines/Zabbix-CVE-2022-23131★ 2 githubgithub.com/trganda/CVE-2022-23131★ 1 githubgithub.com/clearcdq/Zabbix-SAML-SSO-_CVE-2022-23131★ 1 githubgithub.com/wr0x00/cve-2022-23131★ 1 githubgithub.com/zwjjustdoit/cve-2022-23131★ 1 githubgithub.com/Fa1c0n35/zabbix-cve-2022-23131★ 1 githubgithub.com/Chaelsoo/CVE-2022-23131-Wrappers★ 0 githubgithub.com/Arrnitage/CVE-2022-23131_exp★ 0 githubgithub.com/r10lab/CVE-2022-23131★ 0 githubgithub.com/dagowda/Zabbix-cve-2022-23131-SSO-bypass★ 0 githubgithub.com/qq1549176285/CVE-2022-23131★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.zabbix.com/browse/ZBX-20350 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23131