CVE-2021-27927 - log back

CVE-2021-27927 edited at 05 Apr 2021 14:11:29
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Authentication bypass
Description
+ In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerModuleScan view lacks a CSRF protection mechanism. In both cases, the code calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
References
+ https://support.zabbix.com/browse/ZBX-18942
+ https://support.zabbix.com/browse/DEV-1794
+ https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/d039aaea56a98486e3b02433d581b4140fbf6fea
+ https://support.zabbix.com/browse/ZBX-19150
+ https://support.zabbix.com/browse/DEV-1853
+ https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ee6a7de015922121ecf33b856c210e12e9aa84f2
Notes
CVE-2021-27927 created at 05 Apr 2021 14:04:51