CVE-2013-5572
published 2013-10-01CVE-2013-5572: Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password…
PriorityP424low3.5CVSS 2.0
AVNACMAuSCPINAN
EXPLOIT
EPSS
4.11%
89.5th percentile
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zabbix | < zabbix 1:2.2.2+dfsg-1 (bookworm) | zabbix 1:2.2.2+dfsg-1 (bookworm) |
| zabbix | zabbix | — | — |
| zabbix | zabbix | >= 0 < 1:2.2.2+dfsg-1 | 1:2.2.2+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:2.2.2+dfsg-1 | 1:2.2.2+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:2.2.2+dfsg-1 | 1:2.2.2+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:2.2.2+dfsg-1 | 1:2.2.2+dfsg-1 |
CVSS provenance
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
osv3.5LOW
vendor_debian3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2013-5572: zabbix - Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind passwor...
vendor_debian·2013·CVSS 3.5
CVE-2013-5572 [LOW] CVE-2013-5572: zabbix - Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind passwor...
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
Scope: local
bookworm: resolved (fixed in 1:2.2.2+dfsg-1)
bullseye: resolved (fixed in 1:2.2.2+dfsg-1)
forky: resolved (fixed in 1:2.2.2+dfsg-1)
sid: resolved (fixed in 1:2.2.2+dfsg-1)
trixie: resolved (fixed in 1:2.2.2+dfsg-1)
GHSA
GHSA-c47p-v2q9-c4rg: Zabbix 2
ghsa_unreviewed·2022-05-17
CVE-2013-5572 [LOW] GHSA-c47p-v2q9-c4rg: Zabbix 2
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
OSV
CVE-2013-5572: Zabbix 2
osv·2013-10-01·CVSS 3.5
CVE-2013-5572 [LOW] CVE-2013-5572: Zabbix 2
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
No detection rules found.
Bugzilla
CVE-2013-5572 zabbix: password leakage [epel-all]
bugzilla·2013-10-01·CVSS 3.5
CVE-2013-5572 [LOW] CVE-2013-5572 zabbix: password leakage [epel-all]
CVE-2013-5572 zabbix: password leakage [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple supported
Bugzilla
CVE-2013-5572 zabbix: password leakage [fedora-all]
bugzilla·2013-10-01·CVSS 3.5
CVE-2013-5572 [LOW] CVE-2013-5572 zabbix: password leakage [fedora-all]
CVE-2013-5572 zabbix: password leakage [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple supported ve
Bugzilla
CVE-2013-5572 zabbix: password leakage
bugzilla·2013-10-01·CVSS 3.5
CVE-2013-5572 [LOW] CVE-2013-5572 zabbix: password leakage
CVE-2013-5572 zabbix: password leakage
Zabbix, a network management system application designed to monitor and track the status of various network services, is found to have a vulnerability that could lead to password leakage.
Once the user is able to open a console session in zabbix, he can access the tab where various users of the system are displayed. An impersonated user can view the application source code, and could find the password that interacts zabbix, for eg, with a domain controller.
The field that should be looked for in the source code of the website is:
type = "password" id = "ldap_bind_password" name = "ldap_bind_password" value = .
And also if the user requests to refresh the web page, the browser asks the user to store or cache the password, which could also lead to p
http://archives.neohapsis.com/archives/fulldisclosure/2013-09/0149.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-May/132376.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-May/132377.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2013-09/0149.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-May/132376.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-May/132377.html
2013-10-01
Published