Debian 10 Buster DLA-3538-1 High: Zabbix Info Exposure Advisory
debian lts
August 22, 2023
Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing to crash the server, information disclosure or Cross-Site-Scrip...
Summary
Important Notices:
To mitigate CVE-2019-17382, on existing installations, the guest account
needs to be manually disabled, for example by disabling the the "Guest
group" in the UI:
Administration -> User groups -> Guests -> Untick Enabled
This update also fixes a regression with CVE-2022-35229, which broke the
possiblity to edit and add discovery rules in the UI.
CVE-2013-7484
Zabbix before version 4.4.0alpha2 stores credentials in the "users"
table with the password hash stored as a MD5 hash, which is a known
insecure hashing method. Furthermore, no salt is used with the hash.
CVE-2019-17382 (Disputed, not seen by upstream as not a security issue)
An issue was discovered in
zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through
4.4. An attacker can bypass the login page and access the dashboard
page, and then create a Dashboard, Report, Screen, or Map without
any Username/Password (i.e., anonymously). All created elements
PREVIOUS
NEXT
Package: zabbix
Version: 1:4.0.4+dfsg-1+deb10u2
CVE ID: CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515
Debian Bug: 1026847
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!