CVE-2013-1364

Published: 14 December 2013

The user.login function in Zabbix before 1.8.16 and 2.x before 2.0.5rc1 allows remote attackers to override LDAP configuration via the cnf parameter.

Priority

High

Status

Package Release Status
zabbix
Launchpad, Ubuntu, Debian
Upstream
Released (1:2.0.4+dfsg-2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
upstream: svn://svn.zabbix.com/branches/dev/DEV-524-20 (2.0)
upstream: svn://svn.zabbix.com/branches/dev/DEV-524-18 (1.8)

Notes

AuthorNote
seth-arnold
'high' severity is based on the assumption that users in zabbix
may be able to execute arbitrary commands via monitoring agents.
I have not determined if this is an accurate assumption.

References

Bugs