Oval Definition:oval:org.opensuse.security:def:202127927
Revision Date:2022-09-01Version:1
Title:CVE-2021-27927
Description:

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
Family:unixClass:vulnerability
Status:Reference(s):Mitre CVE-2021-27927
SUSE CVE-2021-27927
SUSE-CU-2021:275-1
SUSE-SU-2021:0990-1
openSUSE-SU-2022:0036-1
openSUSE-SU-2022:0058-1
Platform(s):openSUSE Leap 15.3
openSUSE Tumbleweed
SUSE Linux Enterprise Server 12 SP3-TERADATA
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
Product(s):
Definition Synopsis
  • openSUSE Tumbleweed is installed
  • AND Package Information
  • zabbix-agent-4.0.32-1.4 is installed
  • OR zabbix-java-gateway-4.0.32-1.4 is installed
  • OR zabbix-phpfrontend-4.0.32-1.4 is installed
  • OR zabbix-proxy-4.0.32-1.4 is installed
  • OR zabbix-proxy-mysql-4.0.32-1.4 is installed
  • OR zabbix-proxy-postgresql-4.0.32-1.4 is installed
  • OR zabbix-proxy-sqlite-4.0.32-1.4 is installed
  • OR zabbix-server-4.0.32-1.4 is installed
  • OR zabbix-server-mysql-4.0.32-1.4 is installed
  • OR zabbix-server-postgresql-4.0.32-1.4 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-TERADATA is installed
  • AND zabbix-agent-4.0.12-4.12.1 is installed
    • Definition Synopsis
  • openSUSE Leap 15.3 is installed
  • AND Package Information
  • zabbix-agent-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-agent is signed with openSUSE key
  • OR
  • zabbix-java-gateway-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-java-gateway is signed with openSUSE key
  • OR
  • zabbix-phpfrontend-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-phpfrontend is signed with openSUSE key
  • OR
  • zabbix-proxy-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-proxy is signed with openSUSE key
  • OR
  • zabbix-proxy-mysql-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-proxy-mysql is signed with openSUSE key
  • OR
  • zabbix-proxy-postgresql-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-proxy-postgresql is signed with openSUSE key
  • OR
  • zabbix-proxy-sqlite-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-proxy-sqlite is signed with openSUSE key
  • OR
  • zabbix-server-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-server is signed with openSUSE key
  • OR
  • zabbix-server-mysql-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-server-mysql is signed with openSUSE key
  • OR
  • zabbix-server-postgresql-4.0.38-bp153.2.3.1 is installed
  • AND zabbix-server-postgresql is signed with openSUSE key
    • Definition Synopsis
  • Release Information
  • SUSE Linux Enterprise Server 12 SP5 is installed
  • OR SUSE Linux Enterprise Server for SAP Applications 12 SP5 is installed
  • AND zabbix-agent-4.0.12-4.12.1 is installed
    • BACK