11328 – zabbix - password leakage (CVE-2013-5572)

Bug 11328 - zabbix - password leakage (CVE-2013-5572)

Summary: zabbix - password leakage (CVE-2013-5572)

Status:	RESOLVED INVALID

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Dimitri Jakov
QA Contact:	Sec team

URL:	http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-10-01 08:12 CEST by Oden Eriksson
Modified:	2013-10-12 02:20 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	zabbix
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Oden Eriksson 2013-10-01 08:12:51 CEST

======================================================
Name: CVE-2013-5572
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130823
Category: 
Reference: FULLDISC:20130925 CVE-2013-5572
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-09/0149.html

Zabbix 2.0.5 allows remote authenticated users to discover the LDAP
bind password by leveraging management-console access and reading the
ldap_bind_password value in the HTML source code.


Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2013-10-01 15:24:08 CEST

Does this affect Zabbix 1.x?  We only have 2.x in Cauldron.

Version: 2 => Cauldron

David Walser 2013-10-01 15:24:32 CEST

CC: (none) => luigiwalser
Assignee: bugsquad => mitya
Summary: CVE-2013-5572: zabbix - password leakage => zabbix - password leakage (CVE-2013-5572)

Comment 2 David Walser 2013-10-12 02:20:13 CEST

The upstream report doesn't list 1.x as affected:
https://support.zabbix.com/browse/ZBX-6721

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Note You need to log in before you can comment on or make changes to this bug.