[ZBX-15577] Restricted users can get hostnames of the hosts via host screen functionality - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Problem report
Status: Closed
Priority: Trivial
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.25rc1, 4.0.4rc1, 4.2.0alpha3, 4.2 (plan)
Component/s: Frontend (F)
Labels:
None

Team:
Team D
Sprint:
Sprint 47, Dec 2018, Sprint 48, Jan 2019
Story Points:
0.25

Description

Zabbix administator can configure permissions for user groups. For example, he can restrict access to the information about group of the hosts. But it was found that restricted users (e.g. guest user) can get hostnames of the hosts via host screen functionality. It can be checked by using such URL as a restricted user: http://ZABBIX_SERVER/zabbix/host_screen.php?hostid=10084. 10084 is an id of the host, so it can be different for your system.
In other parts of Zabbix such behaviour is blocked. Please tell me if you consider this a vulnerability.

Attachments

Activity

People

Assignee:: Vasily Goncharenko (Inactive)

Reporter:: Rostislav Palivoda

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2018 Dec 17 12:10

Updated:: 2019 Feb 18 11:17

Resolved:: 2019 Feb 05 07:08