Vulnerability Description
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zabbix | Zabbix | <= 4.0.26 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://lists.debian.org/debian-lts-announce/2021/04/msg00018.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html
- https://support.zabbix.com/browse/ZBX-16532Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00018.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html
- https://support.zabbix.com/browse/ZBX-16532Vendor Advisory
FAQ
What is CVE-2019-15132?
CVE-2019-15132 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or passwo...
How severe is CVE-2019-15132?
CVE-2019-15132 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-15132?
Check the references section above for vendor advisories and patch information. Affected products include: Zabbix Zabbix, Debian Debian Linux.