vuln-list-alt/oval/p9/ALT-PU-2020-1083/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20201083",
      "Version": "oval:org.altlinux.errata:def:20201083",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2020-1083: package `zabbix` update to version 4.4.4-alt0.p9.1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p9"
            ],
            "Products": [
              "ALT Server",
              "ALT Virtualization Server",
              "ALT Workstation",
              "ALT Workstation K",
              "ALT Education",
              "Simply Linux",
              "Starterkit"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2020-1083",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2020-1083",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2021-03179",
            "RefURL": "https://bdu.fstec.ru/vul/2021-03179",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-01681",
            "RefURL": "https://bdu.fstec.ru/vul/2023-01681",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-01720",
            "RefURL": "https://bdu.fstec.ru/vul/2023-01720",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-02341",
            "RefURL": "https://bdu.fstec.ru/vul/2023-02341",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2019-15132",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-15132",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2019-17382",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-17382",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2021-27927",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-27927",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2022-23132",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-23132",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades zabbix to version 4.4.4-alt0.p9.1. \nSecurity Fix(es):\n\n * BDU:2021-03179: Уязвимость универсальной системы мониторинга Zabbix, связанная с обходом авторизации посредством использования ключа, контролируемого пользователем, позволяющая нарушителю обойти страницу входа и получить доступ к странице панели инструментов\n\n * BDU:2023-01681: Уязвимость метода init() универсальной системы мониторинга Zabbix, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2023-01720: Уязвимость универсальной системы мониторинга Zabbix, связанная с неправильным присвоением разрешений для критичного ресурса, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2023-02341: Уязвимость реализации сценариев api_jsonrpc.php и index.php универсальной системы мониторинга Zabbix, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * CVE-2019-15132: Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the \"Login name or password is incorrect\" and \"No permissions for system access\" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.\n\n * CVE-2019-17382: An issue was discovered in zabbix.php?action=dashboard.view\u0026dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.\n\n * CVE-2021-27927: In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.\n\n * CVE-2022-23132: During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "Critical",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2020-01-23"
          },
          "Updated": {
            "Date": "2020-01-23"
          },
          "BDUs": [
            {
              "ID": "BDU:2021-03179",
              "CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:N",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "CWE": "CWE-639",
              "Href": "https://bdu.fstec.ru/vul/2021-03179",
              "Impact": "Critical",
              "Public": "20191007"
            },
            {
              "ID": "BDU:2023-01681",
              "CVSS": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "CWE": "CWE-352",
              "Href": "https://bdu.fstec.ru/vul/2023-01681",
              "Impact": "High",
              "Public": "20210104"
            },
            {
              "ID": "BDU:2023-01720",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "CWE": "CWE-732",
              "Href": "https://bdu.fstec.ru/vul/2023-01720",
              "Impact": "High",
              "Public": "20211201"
            },
            {
              "ID": "BDU:2023-02341",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "CWE": "CWE-200, CWE-203",
              "Href": "https://bdu.fstec.ru/vul/2023-02341",
              "Impact": "Low",
              "Public": "20190816"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2019-15132",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "CWE": "CWE-203",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-15132",
              "Impact": "Low",
              "Public": "20190817"
            },
            {
              "ID": "CVE-2019-17382",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "CWE": "CWE-639",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-17382",
              "Impact": "Critical",
              "Public": "20191009"
            },
            {
              "ID": "CVE-2021-27927",
              "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "CWE": "CWE-352",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-27927",
              "Impact": "High",
              "Public": "20210303"
            },
            {
              "ID": "CVE-2022-23132",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "CWE": "CWE-732",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-23132",
              "Impact": "High",
              "Public": "20220113"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:kworkstation:9",
              "cpe:/o:alt:workstation:9",
              "cpe:/o:alt:server:9",
              "cpe:/o:alt:server-v:9",
              "cpe:/o:alt:education:9",
              "cpe:/o:alt:slinux:9",
              "cpe:/o:alt:starterkit:p9",
              "cpe:/o:alt:kworkstation:9.1",
              "cpe:/o:alt:workstation:9.1",
              "cpe:/o:alt:server:9.1",
              "cpe:/o:alt:server-v:9.1",
              "cpe:/o:alt:education:9.1",
              "cpe:/o:alt:slinux:9.1",
              "cpe:/o:alt:starterkit:9.1",
              "cpe:/o:alt:kworkstation:9.2",
              "cpe:/o:alt:workstation:9.2",
              "cpe:/o:alt:server:9.2",
              "cpe:/o:alt:server-v:9.2",
              "cpe:/o:alt:education:9.2",
              "cpe:/o:alt:slinux:9.2",
              "cpe:/o:alt:starterkit:9.2"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:1001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083001",
                "Comment": "zabbix-agent is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083002",
                "Comment": "zabbix-agent-sudo is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083003",
                "Comment": "zabbix-common is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083004",
                "Comment": "zabbix-common-database-mysql is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083005",
                "Comment": "zabbix-common-database-pgsql is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083006",
                "Comment": "zabbix-common-database-sqlite3 is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083007",
                "Comment": "zabbix-contrib is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083008",
                "Comment": "zabbix-doc is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083009",
                "Comment": "zabbix-java-gateway is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083010",
                "Comment": "zabbix-phpfrontend-apache2 is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083011",
                "Comment": "zabbix-phpfrontend-apache2-mod_php7 is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083012",
                "Comment": "zabbix-phpfrontend-engine is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083013",
                "Comment": "zabbix-phpfrontend-php7 is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083014",
                "Comment": "zabbix-proxy is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083015",
                "Comment": "zabbix-proxy-common is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083016",
                "Comment": "zabbix-proxy-pgsql is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083017",
                "Comment": "zabbix-server-common is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083018",
                "Comment": "zabbix-server-mysql is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083019",
                "Comment": "zabbix-server-pgsql is earlier than 1:4.4.4-alt0.p9.1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20201083020",
                "Comment": "zabbix-source is earlier than 1:4.4.4-alt0.p9.1"
              }
            ]
          }
        ]
      }
    }
  ]
}