[ZBX-15870] Zabbix version number should not be available for unauthorized users Created: 2019 Mar 25 Updated: 2020 Jul 16 Resolved: 2019 Apr 10 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 2.2.24rc1, 3.0.27rc1, 4.0.6rc1, 4.2.0rc2 |
Fix Version/s: | 3.0.27rc1, 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan) |
Type: | Defect (Security) | Priority: | Minor |
Reporter: | Miks Kronkalns | Assignee: | Miks Kronkalns |
Resolution: | Fixed | Votes: | 1 |
Labels: | security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
||||||||
Team: | Team B | ||||||||
Sprint: | Sprint 50 (Mar 2019), Sprint 51 (Apr 2019) | ||||||||
Story Points: | 0.25 |
Description |
Starting from version 3.0, Zabbix has login page without version number at page footer. That was done to avoid information leakage about potential vulnerabilities to unauthorized users. Unfortunately, version number is included in jsLoader URL so unauthorized user can access it anyway. |
Comments |
Comment by Miks Kronkalns [ 2019 Apr 04 ] |
Fixed in:
|