ALT-PU-2021-2018-1
Closed vulnerabilities
BDU:2023-01681
Уязвимость метода init() универсальной системы мониторинга Zabbix, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
BDU:2023-02341
Уязвимость реализации сценариев api_jsonrpc.php и index.php универсальной системы мониторинга Zabbix, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Modified: 2024-11-21
CVE-2019-15132
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
- [debian-lts-announce] 20210421 [SECURITY] [DLA 2631-1] zabbix security update
- [debian-lts-announce] 20210421 [SECURITY] [DLA 2631-1] zabbix security update
- [debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update
- [debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update
- https://support.zabbix.com/browse/ZBX-16532
- https://support.zabbix.com/browse/ZBX-16532
Modified: 2024-11-21
CVE-2021-27927
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
Closed bugs
обновить конфигурацию доступа для httpd-2.4
Пакет Zabbix Agent 2