CVE-2021-27927

03.03.2021, 17:15

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Vendor	Product	Version
zabbix	zabbix	4.0.0 ≤ 𝑥 ≤ 4.0.27
zabbix	zabbix	5.0.0 ≤ 𝑥 ≤ 5.0.9
zabbix	zabbix	5.2.0 ≤ 𝑥 ≤ 5.2.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

zabbix

bullseye	1:5.0.8+dfsg-1 fixed
stretch	not-affected
bullseye (security)	1:5.0.44+dfsg-1+deb11u1 fixed
bookworm	1:6.0.14+dfsg-1 fixed
sid	1:7.0.5+dfsg-1 fixed
trixie	1:7.0.5+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

zabbix

noble	dne
mantic	not-affected
lunar	ignored
kinetic	ignored
jammy	not-affected
impish	ignored
hirsute	ignored
groovy	ignored
focal	needed
bionic	not-affected
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html

https://support.zabbix.com/browse/ZBX-18942

https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html

https://support.zabbix.com/browse/ZBX-18942