Headline
CVE-2022-46768: [ZBX-22087] Zabbix Web Service Report Generation External Control of File Name Information Disclosure Vulnerability (CVE-2022-46768)
Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files.
ID: ZBV-2022-09-1
CVE: CVE-2022-46768
Synopsis: File name information disclosure vulnerability in Zabbix Web Service Report Generation
Description: Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files.
CVSS: 5.9: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Zabbix Severity: Medium
Known Attack Vectors: An attacker can read arbitrary files on the file system without authentication with 2 pre-conditions:
- Zabbix web service has to allow the access from attacker’s IP in the zabbix_web_service.conf file
- Victim server has to install Google Chrome
Resolution: To remediate this vulnerability, apply the updates listed in the ‘Fixed Version’ section to appropriate products or use the workaround
Workarounds: If an immediate update is not possible, limit network access to Zabbix Web Service Report Generation.