CVE-2021-27927 — Cross-Site Request Forgery in Zabbix

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 77.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix

Timeline

PublishedMar 3

Latest updateMay 24

Description

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/zabbix< zabbix 1:5.0.8+dfsg-1 (bookworm)

▶Debianzabbix/zabbix< 1:5.0.8+dfsg-1+3

▶NVDzabbix/zabbix4.0.0 — 4.0.27+2

Patches

Patch: support.zabbix.com ↗Patch: support.zabbix.com ↗

🔴Vulnerability Details

GHSA

GHSA-3mh6-r7m6-r42x: In Zabbix before 4↗2022-05-24

▶

OSV

CVE-2021-27927: In Zabbix from 4↗2021-03-03

▶

📋Vendor Advisories

Debian

CVE-2021-27927: zabbix - In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x befor...↗2021

▶