{"api_version":"1","generated_at":"2026-04-23T09:52:04+00:00","cve":"CVE-2019-15132","urls":{"html":"https://cve.report/CVE-2019-15132","api":"https://cve.report/api/cve/CVE-2019-15132.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-15132","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-15132"},"summary":{"title":"CVE-2019-15132","description":"Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the \"Login name or password is incorrect\" and \"No permissions for system access\" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-08-17 18:15:00","updated_at":"2023-04-12 16:15:00"},"problem_types":["CWE-203"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html","name":"[debian-lts-announce] 20210421 [SECURITY] [DLA 2631-1] zabbix security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2631-1] zabbix security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html","name":"[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3390-1] zabbix security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://support.zabbix.com/browse/ZBX-16532","name":"https://support.zabbix.com/browse/ZBX-16532","refsource":"MISC","tags":["Vendor Advisory"],"title":"[ZBX-16532] Zabbix before 4.2 allows User Enumeration - ZABBIX SUPPORT","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-15132","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15132","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"4.2.6","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"4.4.0","cpe7":"alpha1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"4.2.6","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"4.4.0","cpe7":"alpha1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"4.0.26","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"4.2.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"5.0.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"15132","vulnerable":"1","versionEndIncluding":"5.2.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-15132","qid":"178643","title":"Debian Security Update for zabbix (DLA 2631-1)"},{"cve":"CVE-2019-15132","qid":"181729","title":"Debian Security Update for zabbix (DLA 3390-1)"},{"cve":"CVE-2019-15132","qid":"181731","title":"Debian Security Update for zabbix (DLA 3390-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-15132","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the \"Login name or password is incorrect\" and \"No permissions for system access\" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://support.zabbix.com/browse/ZBX-16532","refsource":"MISC","name":"https://support.zabbix.com/browse/ZBX-16532"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210421 [SECURITY] [DLA 2631-1] zabbix security update","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html"}]}},"nvd":{"publishedDate":"2019-08-17 18:15:00","lastModifiedDate":"2023-04-12 16:15:00","problem_types":["CWE-203"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zabbix:zabbix:4.4.0:alpha1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*","versionEndIncluding":"4.0.26","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.0","versionEndIncluding":"5.0.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2.0","versionEndIncluding":"5.2.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"15132","Ordinal":"154494","Title":"CVE-2019-15132","CVE":"CVE-2019-15132","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"15132","Ordinal":"1","NoteData":"Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the \"Login name or password is incorrect\" and \"No permissions for system access\" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"15132","Ordinal":"2","NoteData":"2019-08-17","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"15132","Ordinal":"3","NoteData":"2021-04-21","Type":"Other","Title":"Modified"}]}}}