Vulnerability Details : CVE-2019-15132
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Exploit prediction scoring system (EPSS) score for CVE-2019-15132
Probability of exploitation activity in the next 30 days: 0.96%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 81 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-15132
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2019-15132
-
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-15132
-
https://support.zabbix.com/browse/ZBX-16532
[ZBX-16532] Zabbix before 4.2 allows User Enumeration - ZABBIX SUPPORTVendor Advisory
-
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html
[SECURITY] [DLA 3390-1] zabbix security update
-
https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html
[SECURITY] [DLA 2631-1] zabbix security updateMailing List;Third Party Advisory
Products affected by CVE-2019-15132
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:4.4.0:alpha1:*:*:*:*:*:*