CVE-2019-15132
Publication date 17 August 2019
Last updated 24 July 2024
Ubuntu priority
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
From the Ubuntu Security Team
It was discovered that Zabbix incorrectly handled failed login attempts. A remote attacker could possibly use this issue to enumerate users.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| zabbix | 24.10 oracular |
Not affected
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 1:4.0.17+dfsg-1ubuntu0.1~esm1
|
|
| 18.04 LTS bionic |
Fixed 1:3.0.12+dfsg-1ubuntu0.1~esm3
|
|
| 16.04 LTS xenial |
Fixed 1:2.4.7+dfsg-2ubuntu2.1+esm3
|
|
| 14.04 LTS trusty |
Fixed 1:2.2.2+dfsg-1ubuntu1+esm4
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProPatch details
| Package | Patch details |
|---|---|
| zabbix |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4767-1
- Zabbix vulnerabilities
- 15 June 2022