Detections
Analytics
Zabbix < 1.8.20 / 2.0.11 / 2.2.2 Multiple Vulnerabilities
medium Nessus Plugin ID 72770
Language:
Synopsis
The remote web application may be affected by multiple vulnerabilities.Description
According to its self-reported version number, the instance of Zabbix listening on the remote host is potentially affected by the following vulnerabilities :- An error exists related to LDAP authentication that could disclose the LDAP bind password. (CVE-2013-5572)
- An error exists related to HTTP authentication, the API function 'user.login' call and user switching that could allow a security bypass. (CVE-2014-1682)
- An error exists related to the user type 'Zabbix Admin' that could allow unauthorized application changes that should be reserved only for the user type 'Zabbix Super Admin'. (CVE-2014-1685)
Note that Nessus has not tested for thes issues but has instead relied only the version in the Zabbix login page.
Solution
Update Zabbix to version 1.8.20, 2.0.11, 2.2.2 or later.See Also
https://www.zabbix.com/rn/rn1.8.20
http://www.zabbix.com/rn2.0.11.php
https://www.zabbix.com/rn/rn2.2.2
https://support.zabbix.com/browse/ZBX-6721
Plugin Details
Severity: Medium
ID: 72770
File Name: zabbix_frontend_2_2_2.nasl
Version: 1.10
Type: remote
Family: CGI abuses
Published: 3/3/2014
Updated: 6/5/2024
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Medium
Score: 5.0
CVSS v2
Risk Factor: Medium
Base Score: 5.5
Temporal Score: 4.3
Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P
CVSS Score Source: CVE-2014-1685
Vulnerability Information
CPE: cpe:/a:zabbix:zabbix
Required KB Items: Settings/ParanoidReport, www/zabbix
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Available: true
Exploit Ease: No exploit is required
Patch Publication Date: 1/31/2014
Vulnerability Publication Date: 6/18/2013