CVE-2022-46768
Published: 15 December 2022
Summary
CVE-2022-46768 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Zabbix Web Service Report Generation. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-46768 is an arbitrary file read vulnerability in the Zabbix Web Service Report Generation component, which listens on TCP port 10053. The flaw stems from insufficient validation of URL parameters supplied to file-reading operations, allowing an attacker to supply crafted paths that the service will retrieve without authorization checks. It carries a CVSS 3.1 base score of 5.9 and is classified under CWE-20.
An unauthenticated remote attacker can exploit the issue over the network by sending specially formed requests to the report-generation service. Successful exploitation yields read access to arbitrary files on the underlying system, exposing sensitive configuration data or credentials while leaving integrity and availability unaffected.
The referenced Zabbix support ticket ZBX-22087 describes the flaw and the corrective actions taken in subsequent releases; administrators are advised to apply the vendor patches that enforce proper input validation and restrict file access within the report service.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0924 (current value 0.0520), indicating measurable post-disclosure interest in exploitation attempts.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-49551
Vulnerability details
Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.