Vulnerability Details : CVE-2022-43515
Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range.
Vulnerability category: Input validation
Products affected by CVE-2022-43515
- cpe:2.3:a:zabbix:frontend:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:frontend:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:frontend:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:frontend:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:frontend:6.2.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:frontend:6.0.11:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:frontend:5.0.30:rc1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-43515
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-43515
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
Zabbix |
CWE ids for CVE-2022-43515
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@zabbix.com (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-43515
-
https://support.zabbix.com/browse/ZBX-22050
[ZBX-22050] X-Forwarded-For header is active by default causes access to zabbix sites in maintenance mode (CVE-2022-43515) - ZABBIX SUPPORTExploit;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html
[SECURITY] [DLA 3538-1] zabbix security update
Jump to