Bug 1095926 (CVE-2014-1685)

Summary: CVE-2014-1685 zabbix: unauthorized modification of user media via Zabbix Admin users
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brett.lentz, dan, nelsonab, orion, volker27
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zabbix 1.8.20, zabbix 2.0.11, zabbix 2.2.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-05 18:58:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1095927    
Bug Blocks:    

Description Vincent Danen 2014-05-08 20:43:23 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1685 to
the following vulnerability:

Name: CVE-2014-1685
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1685
Assigned: 20140128
Reference: https://support.zabbix.com/browse/ZBX-7693
Reference: FEDORA:FEDORA-2014-5540
Reference: http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132377.html
Reference: FEDORA:FEDORA-2014-5551
Reference: http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132376.html

The Frontend in Zabbix before 1.8.20rc2, 2.0.x before 2.0.11rc2, and
2.2.x before 2.2.2rc1 allows remote "Zabbix Admin" users to modify the
media of arbitrary users via unspecified vectors.


Current Fedora has zabbix-2.0.11
Current EPEL5 has zabbix20-2.0.11
Current EPEL6 has zabbix-1.8.20, zabbix20-2.0.11, zabbix22-2.2.1 (this last one is still vulnerable)
Comment 1 Vincent Danen 2014-05-08 20:43:53 UTC 
Created zabbix22 tracking bugs for this issue:

Affects: epel-6 [bug 1095927]
Comment 2 Volker Fröhlich 2014-05-13 15:59:20 UTC 
Oh, nevermind the 2 updates!
Comment 3 Fedora Update System 2014-05-23 18:54:39 UTC 
zabbix-2.0.12-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-05-23 18:55:32 UTC 
zabbix-2.0.12-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.