Candidate: CVE-2019-15132
PublicDate: 2019-08-17 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15132
 https://support.zabbix.com/browse/ZBX-16532
Description:
 Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it
 is possible to enumerate application usernames based on the variability of
 server responses (e.g., the "Login name or password is incorrect" and "No
 permissions for system access" messages, or just blocking for a number of
 seconds). This affects both api_jsonrpc.php and index.php.
Ubuntu-Description:
 It was discovered that Zabbix incorrectly handled failed login attempts. A
 remote attacker could possibly use this issue to enumerate users.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935027
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]


Patches_zabbix:
 upstream: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b5a110e4d1c21d865cd03e3ef8dbc6f37221b60f
upstream_zabbix: needed
precise/esm_zabbix: DNE
trusty_zabbix: ignored (out of standard support)
trusty/esm_zabbix: needed
xenial_zabbix: ignored (end of standard support, was needed)
bionic_zabbix: needed
disco_zabbix: ignored (reached end-of-life)
eoan_zabbix: ignored (reached end-of-life)
focal_zabbix: needed
groovy_zabbix: ignored (reached end-of-life)
hirsute_zabbix: not-affected (5.0.7+dfsg-1build1)
impish_zabbix: not-affected (5.0.7+dfsg-1build1)
jammy_zabbix: not-affected (5.0.7+dfsg-1build1)
devel_zabbix: not-affected (5.0.7+dfsg-1build1)