CVE-2022-43515

Name	CVE-2022-43515
Description	Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3538-1, DLA-3909-1
Debian Bugs	1026847

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
zabbix (PTS)	bullseye	1:5.0.8+dfsg-1	vulnerable
	bullseye (security)	1:5.0.44+dfsg-1+deb11u1	fixed
	bookworm	1:6.0.14+dfsg-1	fixed
	sid, trixie	1:7.0.5+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
zabbix	source	buster	1:4.0.4+dfsg-1+deb10u2	DLA-3538-1
zabbix	source	bullseye	1:5.0.44+dfsg-1+deb11u1	DLA-3909-1
zabbix	source	(unstable)	1:6.0.13+dfsg-1		1026847

Notes

https://support.zabbix.com/browse/ZBX-22050
Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045 (4.0.45rc1)
Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e (5.0.30rc1)