Описание
Security update for zabbix
This update for zabbix fixes the following issues:
- Updated to latest realease 4.0.37.
Security issues fixed:
- CVE-2022-23134: Fixed possible view of the setup pages by unauthenticated users if config file already exists (boo#1194681).
- CVE-2021-27927: Fixed CSRF protection mechanism inside CControllerAuthenticationUpdate controller (boo#1183014).
- CVE-2020-15803: Fixed stored XSS in the URL Widget (boo#1174253).
Bugfixes:
- boo#1181400: Added hardening to systemd service(s)
- boo#1144018: Restructured for easier maintenance because FATE#324346
Список пакетов
openSUSE Leap 15.3
Ссылки
- E-Mail link for openSUSE-SU-2022:0036-1
- SUSE Security Ratings
- SUSE Bug 1144018
- SUSE Bug 1174253
- SUSE Bug 1181400
- SUSE Bug 1183014
- SUSE Bug 1194681
- SUSE CVE CVE-2020-15803 page
- SUSE CVE CVE-2021-27927 page
- SUSE CVE CVE-2022-23134 page
Описание
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
Затронутые продукты
Ссылки
- CVE-2020-15803
- SUSE Bug 1174253
Описание
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
Затронутые продукты
Ссылки
- CVE-2021-27927
- SUSE Bug 1183014
Описание
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Затронутые продукты
Ссылки
- CVE-2022-23134
- SUSE Bug 1194681