CVE-2023-32723: [ZBX-23230] Inefficient user permission check in class CControllerAuthenticationUpdate (CVE-2023-32723)

Mitre ID

CVE-2023-32723

CVSS score

8.5
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Severity

high

Summary

Inefficient permission check in class CControllerAuthenticationUpdate

Description

Request to LDAP is sent before user permissions are checked.

Known attack vectors

This vulnerability is causing unauthorized Server-Side Request Forgery (SSRF) in Zabbix Frontend. Attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data reads or imports from URLs.

Patch provided

No

Component/s

Frontend

Affected version/s and fix version/s

4.0.0 - 4.0.19rc1 / 4.0.20rc1
4.4.0 - 4.4.7rc1 / 4.4.8rc1
5.0.0alpha3 / 5.0.0alpha4

Fix compatibility tests

-

Resolution

Fixed

Workarounds

Acknowledgements

Zabbix wants to thank xiaojunjie