Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-15132

Published: 17 August 2019

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.

From the Ubuntu Security Team

It was discovered that Zabbix incorrectly handled failed login attempts. A remote attacker could possibly use this issue to enumerate users.

Priority

Low

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
zabbix
Launchpad, Ubuntu, Debian
bionic
Released (1:3.0.12+dfsg-1ubuntu0.1~esm3)
Available with Ubuntu Pro
disco Ignored
(end of life)
eoan Ignored
(end of life)
upstream Needed

impish Not vulnerable
(5.0.7+dfsg-1build1)
hirsute Not vulnerable
(5.0.7+dfsg-1build1)
xenial
Released (1:2.4.7+dfsg-2ubuntu2.1+esm3)
Available with Ubuntu Pro
jammy Not vulnerable
(5.0.7+dfsg-1build1)
kinetic Not vulnerable
(5.0.7+dfsg-1build1)
trusty
Released (1:2.2.2+dfsg-1ubuntu1+esm4)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
focal
Released (1:4.0.17+dfsg-1ubuntu0.1~esm1)
Available with Ubuntu Pro
lunar Not vulnerable
(5.0.7+dfsg-1build1)
groovy Ignored
(end of life)
mantic Not vulnerable
(5.0.7+dfsg-1build1)
Patches:
upstream: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b5a110e4d1c21d865cd03e3ef8dbc6f37221b60f

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N