Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2019-17382

Опубликовано: 09 окт. 2019
Источник: debian

Описание

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
zabbixfixed1:5.0.0+dfsg-1package
zabbixignoredstretchpackage
zabbixno-dsajessiepackage

Примечания

  • https://support.zabbix.com/browse/ZBX-16789

  • Disputed by upstream, closed as not a security bug.

  • Guest account is disabled by default starting in 4.0.15rc1, 4.4.2rc1 and

  • 5.0.0alpha1 (Cf. https://support.zabbix.com/browse/ZBXNEXT-5532)

  • Patch to disable default user by default:

  • https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/9fd6f1c35 (5.0.0alpha1)

  • https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cd3921882 (4.0.15rc1)

Связанные уязвимости

ubuntu логотип

CVE-2019-17382

CVSS3: 9.1
ubuntu
больше 6 лет назад

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.

nvd логотип

CVE-2019-17382

CVSS3: 9.1
nvd
больше 6 лет назад

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.

github логотип

GHSA-x4g7-vjj9-57q3

CVSS3: 9.1
github
больше 3 лет назад

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.

fstec логотип

BDU:2021-03179

CVSS3: 9.1
fstec
больше 6 лет назад

Уязвимость универсальной системы мониторинга Zabbix, связанная с обходом авторизации посредством использования ключа, контролируемого пользователем, позволяющая нарушителю обойти страницу входа и получить доступ к странице панели инструментов