Information disclosure vulnerability - Zabbix version in API

XMLWordPrintable

    • Type: Incident report
    • Resolution: Unresolved
    • Priority: Trivial
    • None
    • Affects Version/s: 5.0.34, 6.0.17, 6.4.2
    • Component/s: API (A)
    • None

      Steps to reproduce:

      1. Get API version from URL according to documentation
        https://www.zabbix.com/documentation/current/en/manual/api/reference/apiinfo/version 

      Result:
      Request:

      { "jsonrpc": "2.0", "method": "apiinfo.version", "params": [], "id": 1}

      Response:

      { "jsonrpc": "2.0", "result": "6.4.0", "id": 1}

      Issue:
      In the past, the version of Zabbix was removed from the login screen (probably to prevent information disclosure). In current supported versions, the version of zabbix is available via the API, this is however an information disclosure, an attacker can enumerate the version. 

      Request:
      Remove unauthenticated access to version of Zabbix via API. 

            Assignee:
            Zabbix Development Team
            Reporter:
            A.J. Goedhart
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: