CVE-2019-15132

Summary

CVE	CVE-2019-15132
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-08-17 18:15:00 UTC
Updated	2023-04-12 16:15:00 UTC
Description	Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.

Risk And Classification

Problem Types: CWE-203

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Zabbix	Zabbix	All	All	All	All
Application	Zabbix	Zabbix	4.2.6	rc1	All	All
Application	Zabbix	Zabbix	4.4.0	alpha1	All	All
Application	Zabbix	Zabbix	4.2.6	rc1	All	All
Application	Zabbix	Zabbix	4.4.0	alpha1	All	All
Application	Zabbix	Zabbix	All	All	All	All
Application	Zabbix	Zabbix	All	All	All	All
Application	Zabbix	Zabbix	All	All	All	All
Application	Zabbix	Zabbix	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] [DLA 2631-1] zabbix security update	MLIST	lists.debian.org
[SECURITY] [DLA 3390-1] zabbix security update	MLIST	lists.debian.org
[ZBX-16532] Zabbix before 4.2 allows User Enumeration - ZABBIX SUPPORT	MISC	support.zabbix.com	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

178643 Debian Security Update for zabbix (DLA 2631-1)
181729 Debian Security Update for zabbix (DLA 3390-1)
181731 Debian Security Update for zabbix (DLA 3390-1)