Zabbix < 1.8.20 / 2.0.11 / 2.2.2 Multiple Vulnerabilities

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Synopsis :

The remote web application may be affected by multiple vulnerabilities.

Description :

According to its self-reported version number, the instance of Zabbix
listening on the remote host is potentially affected by the following
vulnerabilities :

- An error exists related to LDAP authentication that
could disclose the LDAP bind password. (CVE-2013-5572)

- An error exists related to HTTP authentication, the API
function 'user.login' call and user switching that could
allow a security bypass. (CVE-2014-1682)

- An error exists related to the user type 'Zabbix Admin'
that could allow unauthorized application changes that
should be reserved only for the user type 'Zabbix Super
Admin'. (CVE-2014-1685)

Note that Nessus has not tested for thes issues but has instead relied
only the version in the Zabbix login page.

See also :

Solution :

Update Zabbix to version 1.8.20, 2.0.11, 2.2.2 or later.

Risk factor :

Medium / CVSS Base Score : 6.0
CVSS Temporal Score : 5.2
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 72770 ()

Bugtraq ID: 65402

CVE ID: CVE-2013-5572