CVE-2019-15132
Published: 17 August 2019
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
From the Ubuntu Security Team
It was discovered that Zabbix incorrectly handled failed login attempts. A remote attacker could possibly use this issue to enumerate users.
Priority
Status
Package | Release | Status |
---|---|---|
zabbix Launchpad, Ubuntu, Debian |
bionic |
Released
(1:3.0.12+dfsg-1ubuntu0.1~esm3)
Available with Ubuntu Pro |
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
upstream |
Needed
|
|
impish |
Not vulnerable
(5.0.7+dfsg-1build1)
|
|
hirsute |
Not vulnerable
(5.0.7+dfsg-1build1)
|
|
xenial |
Released
(1:2.4.7+dfsg-2ubuntu2.1+esm3)
Available with Ubuntu Pro |
|
jammy |
Not vulnerable
(5.0.7+dfsg-1build1)
|
|
kinetic |
Not vulnerable
(5.0.7+dfsg-1build1)
|
|
trusty |
Released
(1:2.2.2+dfsg-1ubuntu1+esm4)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
focal |
Released
(1:4.0.17+dfsg-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
lunar |
Not vulnerable
(5.0.7+dfsg-1build1)
|
|
groovy |
Ignored
(end of life)
|
|
mantic |
Not vulnerable
(5.0.7+dfsg-1build1)
|
|
Patches: upstream: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b5a110e4d1c21d865cd03e3ef8dbc6f37221b60f |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |