A zabbix security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where an attacker could bypass checks and potentially change the configuration of Zabbix Frontend.
ELA-562-1 zabbix security update
Package zabbix
ELA-562-1 zabbix security update
Version 1:2.2.23+dfsg-0+deb8u3
Related CVEs CVE-2022-23134
Thomas Chauchefoin from SonarSource discovered that in Zabbix, a server/client network monitoring system, after the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. An attacker could bypass checks and potentially change the configuration of Zabbix Frontend.
For Debian 8 jessie, these problems have been fixed in version 1:2.2.23+dfsg-0+deb8u3.
We recommend that you upgrade your zabbix packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
