Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-22802

Information disclosure vulnerability - Zabbix version in API

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • None
    • 5.0.34, 6.0.17, 6.4.2
    • API (A)
    • None

      Steps to reproduce:

      1. Get API version from URL according to documentation
        https://www.zabbix.com/documentation/current/en/manual/api/reference/apiinfo/version 

      Result:
      Request:

      { "jsonrpc": "2.0", "method": "apiinfo.version", "params": [], "id": 1}

      Response:

      { "jsonrpc": "2.0", "result": "6.4.0", "id": 1}

      Issue:
      In the past, the version of Zabbix was removed from the login screen (probably to prevent information disclosure). In current supported versions, the version of zabbix is available via the API, this is however an information disclosure, an attacker can enumerate the version. 

      Request:
      Remove unauthenticated access to version of Zabbix via API. 

            zabbix.dev Zabbix Development Team
            Albert-Jan A.J. Goedhart
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: