Latest Zabbix releases (2.2.2, 2.0.11 and 1.8.20) contain 3 security fixes.
CVE-2013-5572
Zabbix frontend may expose LDAP authentication password to users with Superadmin privileges.
CVE-2014-1682
User may impersonate as any other user using Zabbix API when using HTTP authentication.
CVE-2014-1685
Users of type 'admin' may modify media for other users even though they should be able to modify their own media only.
CVE-2013-5572
Zabbix frontend may expose LDAP authentication password to users with Superadmin privileges.
-------------------------
Vulnerability description
-------------------------
Zabbix frontend may expose LDAP authentication password to users with Superadmin privileges.
Please use CVE-2013-5572 to refer to this vulnerability.
-------
Details
-------
Zabbix stores password for binding to LDAP. This password was transmitted to any user of Superadmin privileges who would open authentication configuration page. Zabbix user or admin level privileges would not allow access to this password.
-----------------
Affected versions
-----------------
All of the Zabbix versions are vulnerable to this problem.
--------------
Fixed versions
--------------
This vulnerability has been fixed in the latest releases of Zabbix.
The fix is available in the following Zabbix releases:
2.2.2
2.0.11
1.8.20
Vulnerability description
-------------------------
Zabbix frontend may expose LDAP authentication password to users with Superadmin privileges.
Please use CVE-2013-5572 to refer to this vulnerability.
-------
Details
-------
Zabbix stores password for binding to LDAP. This password was transmitted to any user of Superadmin privileges who would open authentication configuration page. Zabbix user or admin level privileges would not allow access to this password.
-----------------
Affected versions
-----------------
All of the Zabbix versions are vulnerable to this problem.
--------------
Fixed versions
--------------
This vulnerability has been fixed in the latest releases of Zabbix.
The fix is available in the following Zabbix releases:
2.2.2
2.0.11
1.8.20
User may impersonate as any other user using Zabbix API when using HTTP authentication.
-------------------------
Vulnerability description
-------------------------
User may impersonate as any other user using Zabbix API when using HTTP authentication.
Please use CVE-2014-1682 to refer to this vulnerability.
-------
Details
-------
After logging into Zabbix using HTTP authentication, users could use user.login API method and pass another user account. This could lead to impersonating of any other user and/or to privilege escalation.
This issue has been reported by Vitaly Shupak.
-----------------
Affected versions
-----------------
All of the Zabbix versions are vulnerable to this problem.
--------------
Fixed versions
--------------
These vulnerabilities have been fixed in the latest releases of Zabbix.
The fix is available in the following Zabbix releases:
2.2.2
2.0.11
1.8.20
Additionally, patches are available for the following Zabbix versions:
2.2.1
1.8.2
Vulnerability description
-------------------------
User may impersonate as any other user using Zabbix API when using HTTP authentication.
Please use CVE-2014-1682 to refer to this vulnerability.
-------
Details
-------
After logging into Zabbix using HTTP authentication, users could use user.login API method and pass another user account. This could lead to impersonating of any other user and/or to privilege escalation.
This issue has been reported by Vitaly Shupak.
-----------------
Affected versions
-----------------
All of the Zabbix versions are vulnerable to this problem.
--------------
Fixed versions
--------------
These vulnerabilities have been fixed in the latest releases of Zabbix.
The fix is available in the following Zabbix releases:
2.2.2
2.0.11
1.8.20
Additionally, patches are available for the following Zabbix versions:
2.2.1
1.8.2
Users of type 'admin' may modify media for other users even though they should be able to modify their own media only.
-------------------------
Vulnerability description
-------------------------
Users of type admin may modify media for other users even though they should be able to modify their own media only.
Please use CVE-2014-1685 to refer to this vulnerability.
-------
Details
-------
Users of type admin should be able to modify only their own media. Zabbix API allowed them to modify media for any user.
This issue has been reported by Corey Shaw.
-----------------
Affected versions
-----------------
All of the Zabbix versions are vulnerable to this problem.
--------------
Fixed versions
--------------
These vulnerabilities have been fixed in the latest releases of Zabbix.
The fix is available in the following Zabbix releases:
2.2.2
2.0.11
1.8.20
Vulnerability description
-------------------------
Users of type admin may modify media for other users even though they should be able to modify their own media only.
Please use CVE-2014-1685 to refer to this vulnerability.
-------
Details
-------
Users of type admin should be able to modify only their own media. Zabbix API allowed them to modify media for any user.
This issue has been reported by Corey Shaw.
-----------------
Affected versions
-----------------
All of the Zabbix versions are vulnerable to this problem.
--------------
Fixed versions
--------------
These vulnerabilities have been fixed in the latest releases of Zabbix.
The fix is available in the following Zabbix releases:
2.2.2
2.0.11
1.8.20