Bug 11328

Summary: zabbix - password leakage (CVE-2013-5572)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: Dimitri Jakov <mitya>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
Whiteboard:
Source RPM: zabbix CVE:
Status comment:

Description Oden Eriksson 2013-10-01 08:12:51 CEST 
======================================================
Name: CVE-2013-5572
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130823
Category: 
Reference: FULLDISC:20130925 CVE-2013-5572
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-09/0149.html

Zabbix 2.0.5 allows remote authenticated users to discover the LDAP
bind password by leveraging management-console access and reading the
ldap_bind_password value in the HTML source code.


Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-10-01 15:24:08 CEST 
Does this affect Zabbix 1.x?  We only have 2.x in Cauldron.

Version: 2 => Cauldron

David Walser 2013-10-01 15:24:32 CEST

CC: (none) => luigiwalser
Assignee: bugsquad => mitya
Summary: CVE-2013-5572: zabbix - password leakage => zabbix - password leakage (CVE-2013-5572)

Comment 2 David Walser 2013-10-12 02:20:13 CEST 
The upstream report doesn't list 1.x as affected:
https://support.zabbix.com/browse/ZBX-6721

Status: NEW => RESOLVED
Resolution: (none) => INVALID