CVE-2019-15132

2019-08-1700:00:00

ubuntu.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.013

Percentile

86.1%

JSON

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it
is possible to enumerate application usernames based on the variability of
server responses (e.g., the “Login name or password is incorrect” and “No
permissions for system access” messages, or just blocking for a number of
seconds). This affects both api_jsonrpc.php and index.php.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935027>

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchzabbix< 1:3.0.12+dfsg-1ubuntu0.1~esm3UNKNOWN
ubuntu20.04noarchzabbix< 1:4.0.17+dfsg-1ubuntu0.1~esm1UNKNOWN
ubuntu14.04noarchzabbix< 1:2.2.2+dfsg-1ubuntu1+esm4UNKNOWN
ubuntu16.04noarchzabbix< 1:2.4.7+dfsg-2ubuntu2.1+esm3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	zabbix	< 1:3.0.12+dfsg-1ubuntu0.1~esm3	UNKNOWN
ubuntu	20.04	noarch	zabbix	< 1:4.0.17+dfsg-1ubuntu0.1~esm1	UNKNOWN
ubuntu	14.04	noarch	zabbix	< 1:2.2.2+dfsg-1ubuntu1+esm4	UNKNOWN
ubuntu	16.04	noarch	zabbix	< 1:2.4.7+dfsg-2ubuntu2.1+esm3	UNKNOWN