Lucene search

[email protected]CVE-2019-15132

HistoryAug 17, 2019 - 6:15 p.m.

CVE-2019-15132

2019-08-1718:15:00

CWE-203

[email protected]

web.nvd.nist.gov

249

cve-2019-15132

zabbix

user enumeration

security vulnerability

api

application security

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.9 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.01 Low

EPSS

Percentile

83.2%

JSON

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the “Login name or password is incorrect” and “No permissions for system access” messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.

CPENameOperatorVersion
zabbix:zabbixzabbixeq4.4.0
zabbix:zabbixzabbixle4.0.26
zabbix:zabbixzabbixle5.0.5
zabbix:zabbixzabbixle5.2.1
debian:debian_linuxdebian debian linuxeq9.0