Bug 1061563 (CVE-2014-1682)

Summary: CVE-2014-1682 zabbix: API issue allows users to impersonate other users
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brett.lentz, ccoleman, dan, dmcphers, jialiu, jrusnack, lmeyer, nelsonab, tkramer, vdanen, volker27
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-30 04:32:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1061564, 1061565, 1061566, 1082438    
Bug Blocks: 1061567    

Description Murray McAllister 2014-02-05 05:47:03 UTC 
ZBX-7703 describes the following flaw in Zabbix:

"When Zabbix is configured with HTTP authentication, the API uses permissions of the user passed to the user.login call. Therefore, as long as you can authenticate to the Zabbix server, you could impersonate any user via the API by passing another username to the user.login request."

This issue affects versions 1.8.19, 2.0.10, 2.2.1, and 2.3.0.

References:
http://www.zabbix.com/rn2.2.2rc1.php
https://support.zabbix.com/browse/ZBX-7703
Comment 1 Murray McAllister 2014-02-05 05:49:41 UTC 
Created zabbix tracking bugs for this issue:

Affects: fedora-all [bug 1061564]
Affects: epel-6 [bug 1061566]
Comment 2 Murray McAllister 2014-02-05 05:49:45 UTC 
Created zabbix20 tracking bugs for this issue:

Affects: epel-all [bug 1061565]
Comment 3 Fedora Update System 2014-03-02 19:24:22 UTC 
zabbix20-2.0.11-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-03-02 19:24:43 UTC 
zabbix20-2.0.11-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-03-02 19:25:10 UTC 
zabbix-1.8.20-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Volker Fröhlich 2014-04-06 12:12:08 UTC 
Murray, this ticket is not publicly available.
Comment 8 Fedora Update System 2014-05-01 22:20:43 UTC 
zabbix-2.0.11-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-05-01 22:21:10 UTC 
zabbix-2.0.11-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.