Debian 10261 Published by

A zabbix security update has been released for Debian GNU/Linux 8 Extended LTS to address multiple vulnerabilities.



ELA-406-1 zabbix security update


Package zabbix
Version 1:2.2.23+dfsg-0+deb8u2
Related CVEs CVE-2019-15132 CVE-2020-11800 CVE-2020-15803

Multiple vulnerabilities were discovered in Zabbix, a network monitoring solution. An attacker may remotely execute code on the zabbix server, enumerate valid users and redirect to external links through the zabbix web frontend.

CVE-2019-15132

Zabbix allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the “Login name or password is incorrect” and “No permissions for system access” messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.

CVE-2020-11800

Zabbix allows remote attackers to execute arbitrary code on the Zabbix server.

CVE-2020-15803

Zabbix allows stored XSS in the URL Widget.

For Debian 8 jessie, these problems have been fixed in version 1:2.2.23+dfsg-0+deb8u2.

We recommend that you upgrade your zabbix packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-406-1 zabbix security update