Bug 1061563 (CVE-2014-1682) - CVE-2014-1682 zabbix: API issue allows users to impersonate other users
Summary: CVE-2014-1682 zabbix: API issue allows users to impersonate other users
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-1682
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1061564 1061565 1061566 1082438
Blocks: 1061567
TreeView+ depends on / blocked
 
Reported: 2014-02-05 05:47 UTC by Murray McAllister
Modified: 2019-09-29 13:13 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-30 04:32:30 UTC


Attachments (Terms of Use)

Description Murray McAllister 2014-02-05 05:47:03 UTC
ZBX-7703 describes the following flaw in Zabbix:

"When Zabbix is configured with HTTP authentication, the API uses permissions of the user passed to the user.login call. Therefore, as long as you can authenticate to the Zabbix server, you could impersonate any user via the API by passing another username to the user.login request."

This issue affects versions 1.8.19, 2.0.10, 2.2.1, and 2.3.0.

References:
http://www.zabbix.com/rn2.2.2rc1.php
https://support.zabbix.com/browse/ZBX-7703

Comment 1 Murray McAllister 2014-02-05 05:49:41 UTC
Created zabbix tracking bugs for this issue:

Affects: fedora-all [bug 1061564]
Affects: epel-6 [bug 1061566]

Comment 2 Murray McAllister 2014-02-05 05:49:45 UTC
Created zabbix20 tracking bugs for this issue:

Affects: epel-all [bug 1061565]

Comment 3 Fedora Update System 2014-03-02 19:24:22 UTC
zabbix20-2.0.11-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2014-03-02 19:24:43 UTC
zabbix20-2.0.11-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2014-03-02 19:25:10 UTC
zabbix-1.8.20-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Volker Fröhlich 2014-04-06 12:12:08 UTC
Murray, this ticket is not publicly available.

Comment 8 Fedora Update System 2014-05-01 22:20:43 UTC
zabbix-2.0.11-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-05-01 22:21:10 UTC
zabbix-2.0.11-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.