Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
References
Link | Resource |
---|---|
https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html | Mailing List Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html | |
https://support.zabbix.com/browse/ZBX-16532 | Vendor Advisory |
Configurations
History
No history.
Information
Published : 2019-08-17 18:15
Updated : 2024-02-04 20:20
NVD link : CVE-2019-15132
Mitre link : CVE-2019-15132
CVE.ORG link : CVE-2019-15132
JSON object : View
Products Affected
zabbix
- zabbix
debian
- debian_linux
CWE
CWE-203
Observable Discrepancy