CVE-2021-27927

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-27927
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27927.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-27927
Related
Published
2021-03-03T17:15:12Z
Modified
2024-09-18T03:19:00.500328Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

References

Affected packages

Debian:11 / zabbix

Package

Name
zabbix
Purl
pkg:deb/debian/zabbix?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:5.0.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / zabbix

Package

Name
zabbix
Purl
pkg:deb/debian/zabbix?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:5.0.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / zabbix

Package

Name
zabbix
Purl
pkg:deb/debian/zabbix?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:5.0.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/zabbix/zabbix

Affected ranges

Type
GIT
Repo
https://github.com/zabbix/zabbix
Events

Affected versions

5.*

5.0.0
5.0.1
5.0.1rc1
5.0.2
5.0.2rc1
5.0.3
5.0.3.rc2
5.0.3rc1
5.0.3rc2
5.0.4
5.0.4rc1
5.0.5
5.0.5rc1
5.0.6
5.0.6rc1
5.0.7
5.0.7rc1
5.0.8
5.0.8rc1
5.0.9
5.0.9rc1
5.0.9rc2