Fedora EPEL 6 update for zabbix
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2014-1682 CVE-2013-5572 CVE-2014-1685 |
| CWE-ID | CWE-287 CWE-264 CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
Fedora Operating systems & Components / Operating system zabbix Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU33098
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-1682
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to manipulate data.
The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 6.0
zabbix: before 1.8.20-1.el6
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-0574
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU33097
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2013-5572
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote #AU# to gain access to sensitive information.
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 6.0
zabbix: before 1.8.20-1.el6
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-0574
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Input validation error
EUVDB-ID: #VU33853
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-1685
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to manipulate or delete data.
The Frontend in Zabbix before 1.8.20rc2, 2.0.x before 2.0.11rc2, and 2.2.x before 2.2.2rc1 allows remote "Zabbix Admin" users to modify the media of arbitrary users via unspecified vectors.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 6.0
zabbix: before 1.8.20-1.el6
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-0574
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
