Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-17382Authorization Bypass Through User-Controlled Key in Zabbix

CWE-639Authorization Bypass Through User-Controlled Key11 documents7 sources
Severity
9.1CRITICALNVD
EPSS
93.7%
top 0.15%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
ZabbixDebian Zabbix
Timeline
PublishedOct 9
Latest updateMay 24

Description

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

debiandebian/zabbix< zabbix 1:5.0.0+dfsg-1 (bookworm)
Debianzabbix/zabbix< 1:5.0.0+dfsg-1+3
NVDzabbix/zabbix4.4

🔴Vulnerability Details

2
GHSA
GHSA-x4g7-vjj9-57q3: An issue was discovered in zabbix2022-05-24
OSV
CVE-2019-17382: An issue was discovered in zabbix2019-10-09

💥Exploits & PoCs

2
Exploit-DB
Zabbix 3.4.7 - Stored XSS2021-03-31
Nuclei
Zabbix <=4.4 - Authentication Bypass

📋Vendor Advisories

1
Debian
CVE-2019-17382: zabbix - An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zab...2019

💬Community

5
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-7]2019-11-18
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page2019-11-18
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [fedora-all]2019-11-18
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-6]2019-11-18
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-8]2019-11-18