A vulnerability was found in Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Created zabbix tracking bugs for this issue:
Affects: fedora-all [bug 1771302]
Created zabbix22 tracking bugs for this issue:
Affects: epel-6 [bug 1771303]
Affects: epel-7 [bug 1771304]
Created zabbix30 tracking bugs for this issue:
Affects: epel-7 [bug 1771305]
Created zabbix40 tracking bugs for this issue:
Affects: epel-7 [bug 1771306]
Affects: epel-8 [bug 1771307]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.