Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2021-27927 - log back

CVE-2021-27927 edited at 05 Apr 2021 14:11:29

Severity

-	Unknown
+	Medium

Remote

-	Unknown
+	Remote

Type

-	Unknown
+	Authentication bypass

Description

+

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerModuleScan view lacks a CSRF protection mechanism. In both cases, the code calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

References

+	https://support.zabbix.com/browse/ZBX-18942
+	https://support.zabbix.com/browse/DEV-1794
+	https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/d039aaea56a98486e3b02433d581b4140fbf6fea
+	https://support.zabbix.com/browse/ZBX-19150
+	https://support.zabbix.com/browse/DEV-1853
+	https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ee6a7de015922121ecf33b856c210e12e9aa84f2

Notes

CVE-2021-27927 created at 05 Apr 2021 14:04:51