[ZBX-7703] Security flaw with API access when using HTTP authentication - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.8.19, 2.0.10, 2.2.1, 2.3.0
Fix Version/s: 1.8.20rc1, 2.0.11rc1, 2.2.2rc1, 2.3.0
Component/s: API (A)
Labels:
- authentication
- security
Environment:
Apache + mod_php + mod_auth_kerb

Description

When Zabbix is configured with HTTP authentication, the API uses permissions of the user passed to the user.login call. Therefore, as long as you can authenticate to the Zabbix server, you could impersonate any user via the API by passing another username to the user.login request.

CVE-2014-1682

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

ZBX-7703-1.8.2.patch
0.9 kB
2014 Feb 10 12:11
ZBX-7703-2.2.1.patch
1 kB
2014 Feb 07 13:39

Activity

People

Assignee:: Unassigned

Reporter:: Vitaly Shupak

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2014 Jan 25 03:08

Updated:: 2020 Jul 16 14:10

Resolved:: 2014 Feb 13 17:03