Описание
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| zabbix | fixed | 1:5.0.7+dfsg-1 | package | |
| zabbix | postponed | jessie | package |
Примечания
https://support.zabbix.com/browse/ZBX-16532
https://support.zabbix.com/browse/ZBX-5842
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b5a110e4d1c21d865cd03e3ef8dbc6f37221b60f (4.0.27rc1)
EPSS
Связанные уязвимости
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Уязвимость реализации сценариев api_jsonrpc.php и index.php универсальной системы мониторинга Zabbix, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS