CVE-2022-23132

During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level

References

Affected packages

Debian:11 / zabbix

Package

Name: zabbix
Purl: pkg:deb/debian/zabbix?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:5.0.44+dfsg-1+deb11u1

Affected versions

1:5.*

1:5.0.8+dfsg-1

1:5.0.14+dfsg-1~bpo11+1

1:5.0.14+dfsg-1

1:5.0.17+dfsg-1~bpo11+1

1:5.0.17+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / zabbix

Package

Name: zabbix
Purl: pkg:deb/debian/zabbix?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:6.0.7+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / zabbix

Package

Name: zabbix
Purl: pkg:deb/debian/zabbix?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:6.0.7+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/zabbix/zabbix

Affected ranges

Type: GIT
Repo: https://github.com/zabbix/zabbix
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

1ca342c90ed471c4547b9a4ea9dfcc147be3f3f0

Last affected

315ec0e63a834834015e7431cc685c6b3ad8c265

Last affected

6b9f1a434682b6102080217ff723cad209610a7d

Last affected

b07e17de0abf0006ddd56c2eb39d3dacda0ba2eb

Last affected

cf8d4a64d29b8fce8e40761533f8dd9438c786fd

Last affected

e58e4c62e52436a5b5385e7b58b5a7e9376cc67a

Last affected

f56fed83bc4778f6c8fdc6bedc956d6c2059c56b

Affected versions

6.*

6.0.0alpha1

6.0.0alpha2

6.0.0alpha3