CVE-2019-15132
Last modified
CVE-2019-15132 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). EPSS estimates a 2.03% chance of exploitation in the next 30 days.
Description
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Zabbix | Zabbix | <= 4.0.26 | — |
| Zabbix | Zabbix | >= 5.0.0, <= 5.0.5 | — |
| Zabbix | Zabbix | >= 5.2.0, <= 5.2.1 | — |
| Zabbix | Zabbix | 4.4.0 | Alpha1 |
| Debian | Debian Linux | 9.0 | — |
References
- https://lists.debian.org/debian-lts-announce/2021/04/msg00018.htmlMailing List, Third Party Advisory
- https://support.zabbix.com/browse/ZBX-16532Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00018.htmlMailing List, Third Party Advisory
- https://support.zabbix.com/browse/ZBX-16532Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-15132?
How severe is CVE-2019-15132?
How do I fix CVE-2019-15132?
Are you affected by CVE-2019-15132?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST