CVE-2021-27927

EUVD-2021-14647

03.03.2021, 17:15

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Affected Products (NVD)

Vendor	Product	Version
zabbix	zabbix	4.0.0 ≤ 𝑥 ≤ 4.0.27
zabbix	zabbix	5.0.0 ≤ 𝑥 ≤ 5.0.9
zabbix	zabbix	5.2.0 ≤ 𝑥 ≤ 5.2.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

zabbix

bookworm	1:6.0.14+dfsg-1 fixed
bullseye	1:5.0.8+dfsg-1 fixed
bullseye (security)	1:5.0.44+dfsg-1+deb11u1 fixed
sid	1:7.0.5+dfsg-1 fixed
stretch	not-affected
trixie	1:7.0.5+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

zabbix

bionic	not-affected
focal	needed
groovy	ignored
hirsute	ignored
impish	ignored
jammy	not-affected
kinetic	ignored
lunar	ignored
mantic	not-affected
noble	dne
trusty	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html

https://support.zabbix.com/browse/ZBX-18942

https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html

https://support.zabbix.com/browse/ZBX-18942