CVE-2021-27927
Last modified
CVE-2021-27927 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. EPSS estimates a 1.47% chance of exploitation in the next 30 days.
Description
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Zabbix | Zabbix | >= 4.0.0, <= 4.0.27 |
| Zabbix | Zabbix | >= 5.0.0, <= 5.0.9 |
| Zabbix | Zabbix | >= 5.2.0, <= 5.2.3 |
References
- https://support.zabbix.com/browse/ZBX-18942Issue Tracking, Patch, Vendor Advisory
- https://support.zabbix.com/browse/ZBX-18942Issue Tracking, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-27927?
How severe is CVE-2021-27927?
How do I fix CVE-2021-27927?
Are you affected by CVE-2021-27927?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST