1061563 – (CVE-2014-1682) CVE-2014-1682 zabbix: API issue allows users to impersonate other users

Bug 1061563 (CVE-2014-1682) - CVE-2014-1682 zabbix: API issue allows users to impersonate other users

Summary: CVE-2014-1682 zabbix: API issue allows users to impersonate other users

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-1682
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1061564 1061565 1061566 1082438
Blocks:	1061567
TreeView+	depends on / blocked

Reported:	2014-02-05 05:47 UTC by Murray McAllister
Modified:	2019-09-29 13:13 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-05-30 04:32:30 UTC
Embargoed:

Attachments	(Terms of Use)

Description Murray McAllister 2014-02-05 05:47:03 UTC

ZBX-7703 describes the following flaw in Zabbix:

"When Zabbix is configured with HTTP authentication, the API uses permissions of the user passed to the user.login call. Therefore, as long as you can authenticate to the Zabbix server, you could impersonate any user via the API by passing another username to the user.login request."

This issue affects versions 1.8.19, 2.0.10, 2.2.1, and 2.3.0.

References:
http://www.zabbix.com/rn2.2.2rc1.php
https://support.zabbix.com/browse/ZBX-7703

Comment 1 Murray McAllister 2014-02-05 05:49:41 UTC

Created zabbix tracking bugs for this issue:

Affects: fedora-all [bug 1061564]
Affects: epel-6 [bug 1061566]

Comment 2 Murray McAllister 2014-02-05 05:49:45 UTC

Created zabbix20 tracking bugs for this issue:

Affects: epel-all [bug 1061565]

Comment 3 Fedora Update System 2014-03-02 19:24:22 UTC

zabbix20-2.0.11-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2014-03-02 19:24:43 UTC

zabbix20-2.0.11-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2014-03-02 19:25:10 UTC

zabbix-1.8.20-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Volker Fröhlich 2014-04-06 12:12:08 UTC

Murray, this ticket is not publicly available.

Comment 8 Fedora Update System 2014-05-01 22:20:43 UTC

zabbix-2.0.11-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-05-01 22:21:10 UTC

zabbix-2.0.11-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.