CVE-2019-15132

Sažetak

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.

Reference

https://support.zabbix.com/browse/ZBX-16532
https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

12-04-2023 - 16:15

Objavljeno

17-08-2019 - 18:15