CVE-2022-23131: 
Zabbix Server vulnerability analysis and mitigation

CVE-2022-23131 is a critical authentication bypass vulnerability in Zabbix Frontend that affects versions 5.4.0 through 5.4.8 and 6.0.0alpha1. The vulnerability exists in instances where SAML SSO authentication is enabled (non-default configuration), where session data can be modified by a malicious actor because user login stored in the session was not verified. This vulnerability was discovered by Thomas Chauchefoin from SonarSource and was disclosed in November 2021 (Zabbix Issue).

The vulnerability has a CVSS v3 base score of 9.8 (Critical), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction (NVD). The issue stems from unsafe client-side session storage implementation in Zabbix Frontend's SAML authentication mechanism, where the session data's authenticity is not properly verified (SonarSource Blog).

When successfully exploited, this vulnerability allows an unauthenticated attacker to escalate privileges and gain administrator access to the Zabbix Frontend. The attacker only needs to know the username of a Zabbix user or utilize the guest account (which is disabled by default) to perform the attack (Zabbix Issue).

Organizations can mitigate this vulnerability by either upgrading to the fixed versions (6.0.0beta2, 5.4.9, 5.0.19, or 4.0.37) or by disabling SAML authentication as a temporary workaround (Zabbix Issue).

The vulnerability received significant attention from the cybersecurity community, leading to its inclusion in CISA's catalog of known exploited vulnerabilities. Security experts and Zabbix Certified Experts urged organizations using SAML SSO authentication features to update their Zabbix instances immediately (Security Online).