CVE-2019-15132Observable Discrepancy in Zabbix

CWE-203Observable DiscrepancyCWE-200Sensitive Information Exposure13 documents6 sources
Severity
5.3MEDIUMNVD
OSV9.8
EPSS
0.5%
top 33.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
ZabbixDebian ZabbixDebian Linux
Timeline
PublishedAug 17
Latest updateJun 15

Description

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

debiandebian/zabbix< zabbix 1:5.0.7+dfsg-1 (bookworm)
Debianzabbix/zabbix< 1:5.0.7+dfsg-1+3
Ubuntuzabbix/zabbix< 1:2.2.2+dfsg-1ubuntu1+esm4+3
NVDzabbix/zabbix5.0.05.0.5+3

Also affects: Debian Linux 9.0

🔴Vulnerability Details

3
OSV
zabbix vulnerabilities2022-06-15
GHSA
GHSA-8rh3-5c87-wh48: Zabbix through 42022-05-24
OSV
CVE-2019-15132: Zabbix through 42019-08-17

📋Vendor Advisories

2
Ubuntu
Zabbix vulnerabilities2022-06-15
Debian
CVE-2019-15132: zabbix - Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is p...2019

💬Community

7
Bugzilla
CVE-2019-15132 zabbix: information disclosure in api_jsonrpc.php and index.php2019-11-12
Bugzilla
CVE-2019-15132 zabbix22: zabbix: information disclosure in api_jsonrpc.php and index.php [epel-6]2019-11-12
Bugzilla
CVE-2019-15132 zabbix30: zabbix: information disclosure in api_jsonrpc.php and index.php [epel-7]2019-11-12
Bugzilla
CVE-2019-15132 zabbix40: zabbix: information disclosure in api_jsonrpc.php and index.php [epel-8]2019-11-12
Bugzilla
CVE-2019-15132 zabbix: information disclosure in api_jsonrpc.php and index.php [fedora-all]2019-11-12