Details

    • Type: Incident report
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.20, 2.0.11rc2, 2.2.3rc1, 2.3.0
    • Fix Version/s: 2.3.0
    • Component/s: API (A), Frontend (F)
    • Labels:

      Description

      The "exists" methods, which allow to check whether an object matching some criteria, exists does not check permissions. For example, we can find out, if host "Zabbix server" exists, even if we don't have permissions to it. This vulnerability is not that critical, since there are other ways we can find this out: we can try to create a host with the same name, and see if an error is triggered. But in the case with "exists" methods, we have some additional uses: for example, check if an item with a specific key exists on a host we have no permissions to.

        Attachments

          Activity

            People

            • Assignee:
              iivs Ivo Kurzemnieks
              Reporter:
              jelisejev Pavels Jelisejevs (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: