CVE-2014-1682 — Improper Authentication in Zabbix

CWE-287 — Improper Authentication8 documents5 sources

Severity

4.0MEDIUMNVD

EPSS

0.3%

top 51.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix Fedoraproject Fedora

Timeline

PublishedMay 8

Latest updateMay 17

Description

The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/zabbix< zabbix 1:2.2.2+dfsg-1 (bookworm)

▶Debianzabbix/zabbix< 1:2.2.2+dfsg-1+3

▶NVDzabbix/zabbix1.8.19+20

Also affects: Fedora 19, 20

🔴Vulnerability Details

GHSA

GHSA-hvm5-hr24-54m2: The API in Zabbix before 1↗2022-05-17

▶

OSV

CVE-2014-1682: The API in Zabbix before 1↗2014-05-08

▶

📋Vendor Advisories

Debian

CVE-2014-1682: zabbix - The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2...↗2014

▶

💬Community

Bugzilla

CVE-2014-1682 zabbix: API issue allows users to impersonate other users↗2014-02-05

▶

Bugzilla

CVE-2014-1682 zabbix: API issue allows users to impersonate other users [epel-6]↗2014-02-05

▶

Bugzilla

CVE-2014-1682 zabbix: API issue allows users to impersonate other users [fedora-all]↗2014-02-05

▶

Bugzilla

CVE-2014-1682 zabbix20: zabbix: API issue allows users to impersonate other users [epel-all]↗2014-02-05

▶