Описание
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support, was needed |
| devel | not-affected | 1:6.0.29+dfsg-1 |
| disco | ignored | end of life |
| eoan | ignored | end of life |
| esm-apps/bionic | released | 1:3.0.12+dfsg-1ubuntu0.1~esm3 |
| esm-apps/focal | released | 1:4.0.17+dfsg-1ubuntu0.1~esm1 |
| esm-apps/jammy | not-affected | 5.0.7+dfsg-1build1 |
| esm-apps/xenial | released | 1:2.4.7+dfsg-2ubuntu2.1+esm3 |
| esm-infra-legacy/trusty | released | 1:2.2.2+dfsg-1ubuntu1+esm4 |
| focal | ignored | end of standard support, was needed |
Показывать по
EPSS
5 Medium
CVSS2
5.3 Medium
CVSS3
Связанные уязвимости
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Zabbix through 4.4.0alpha1 allows User Enumeration. With login request ...
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Уязвимость реализации сценариев api_jsonrpc.php и index.php универсальной системы мониторинга Zabbix, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
5 Medium
CVSS2
5.3 Medium
CVSS3