Zabbix security vulnerabilities fixed CVE-2016-10742, CVE-2017-282
Reporter | Title | Published | Views | Family All 25 |
---|---|---|---|---|
![]() | Debian: Security Advisory (DLA-1708-1) | 11 Mar 201900:00 | – | openvas |
![]() | Zabbix Server Information Disclosure Vulnerability (May 2018) | 2 May 201800:00 | – | openvas |
![]() | Debian: Security Advisory (DLA-2461-1) | 22 Nov 202000:00 | – | openvas |
![]() | Ubuntu: Security Advisory (USN-4767-1) | 27 Jan 202300:00 | – | openvas |
![]() | [SECURITY] [DLA 1708-1] zabbix security update | 11 Mar 201921:38 | – | debian |
![]() | [SECURITY] [DLA 2461-1] zabbix security update | 21 Nov 202017:32 | – | debian |
![]() | CVE-2016-10742 | 17 Feb 201900:00 | – | ubuntucve |
![]() | CVE-2017-2826 | 9 Apr 201800:00 | – | ubuntucve |
![]() | CVE-2016-10742 | 17 Feb 201916:29 | – | cve |
![]() | CVE-2017-2826 | 9 Apr 201820:29 | – | cve |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-1708-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(122762);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/14");
script_cve_id("CVE-2016-10742", "CVE-2017-2826");
script_name(english:"Debian DLA-1708-1 : zabbix security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security update.");
script_set_attribute(attribute:"description", value:
"Several security vulnerabilities were discovered in Zabbix, a
server/client network monitoring solution.
CVE-2016-10742
Zabbix allowed remote attackers to redirect to external links by
misusing the request parameter.
CVE-2017-2826
An information disclosure vulnerability exists in the iConfig proxy
request of Zabbix server. A specially crafted iConfig proxy request
can cause the Zabbix server to send the configuration information of
any Zabbix proxy, resulting in information disclosure. An attacker can
make requests from an active Zabbix proxy to trigger this
vulnerability.
This update also includes several other bug fixes and improvements.
For more information please refer to the upstream changelog file.
For Debian 8 'Jessie', these problems have been fixed in version
1:2.2.23+dfsg-0+deb8u1.
We recommend that you upgrade your zabbix packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/03/msg00010.html");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/jessie/zabbix");
script_set_attribute(attribute:"solution", value:
"Upgrade the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-10742");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/09");
script_set_attribute(attribute:"patch_publication_date", value:"2019/03/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/12");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix-agent");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix-frontend-php");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix-java-gateway");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix-proxy-mysql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix-proxy-pgsql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix-proxy-sqlite3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix-server-mysql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix-server-pgsql");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"8.0", prefix:"zabbix-agent", reference:"1:2.2.23+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"zabbix-frontend-php", reference:"1:2.2.23+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"zabbix-java-gateway", reference:"1:2.2.23+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"zabbix-proxy-mysql", reference:"1:2.2.23+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"zabbix-proxy-pgsql", reference:"1:2.2.23+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"zabbix-proxy-sqlite3", reference:"1:2.2.23+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"zabbix-server-mysql", reference:"1:2.2.23+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"zabbix-server-pgsql", reference:"1:2.2.23+dfsg-0+deb8u1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo