[ZBX-15870] Zabbix version number should not be available for unauthorized users - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.2.24rc1, 3.0.27rc1, 4.0.6rc1, 4.2.0rc2
Fix Version/s: 3.0.27rc1, 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan)
Component/s: Frontend (F)
Labels:
- security

Team:
Team B
Sprint:
Sprint 50 (Mar 2019), Sprint 51 (Apr 2019)
Story Points:
0.25

Description

Starting from version 3.0, Zabbix has login page without version number at page footer. That was done to avoid information leakage about potential vulnerabilities to unauthorized users.

Unfortunately, version number is included in jsLoader URL so unauthorized user can access it anyway.

Attachments

Issue Links

part of

ZBX-9522 Frontend messaging on dashboard doesn't follow refresh period configuration.

Closed

Activity

People

Assignee:: Miks Kronkalns

Reporter:: Miks Kronkalns

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2019 Mar 25 17:33

Updated:: 2020 Jul 16 14:10

Resolved:: 2019 Apr 10 09:04