vuln-list-alt/oval/p11/ALT-PU-2019-1862/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20191862",
      "Version": "oval:org.altlinux.errata:def:20191862",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2019-1862: package `zabbix` update to version 4.2.1-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p11"
            ],
            "Products": [
              "ALT Container"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2019-1862",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2019-1862",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2023-01681",
            "RefURL": "https://bdu.fstec.ru/vul/2023-01681",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-01720",
            "RefURL": "https://bdu.fstec.ru/vul/2023-01720",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-02341",
            "RefURL": "https://bdu.fstec.ru/vul/2023-02341",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2019-15132",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-15132",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2020-15803",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-15803",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2021-27927",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-27927",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2022-23132",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-23132",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades zabbix to version 4.2.1-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01681: Уязвимость метода init() универсальной системы мониторинга Zabbix, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2023-01720: Уязвимость универсальной системы мониторинга Zabbix, связанная с неправильным присвоением разрешений для критичного ресурса, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2023-02341: Уязвимость реализации сценариев api_jsonrpc.php и index.php универсальной системы мониторинга Zabbix, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * CVE-2019-15132: Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the \"Login name or password is incorrect\" and \"No permissions for system access\" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.\n\n * CVE-2020-15803: Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.\n\n * CVE-2021-27927: In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.\n\n * CVE-2022-23132: During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2019-05-20"
          },
          "Updated": {
            "Date": "2019-05-20"
          },
          "BDUs": [
            {
              "ID": "BDU:2023-01681",
              "CVSS": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "CWE": "CWE-352",
              "Href": "https://bdu.fstec.ru/vul/2023-01681",
              "Impact": "High",
              "Public": "20210104"
            },
            {
              "ID": "BDU:2023-01720",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "CWE": "CWE-732",
              "Href": "https://bdu.fstec.ru/vul/2023-01720",
              "Impact": "High",
              "Public": "20211201"
            },
            {
              "ID": "BDU:2023-02341",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "CWE": "CWE-200, CWE-203",
              "Href": "https://bdu.fstec.ru/vul/2023-02341",
              "Impact": "Low",
              "Public": "20190816"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2019-15132",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "CWE": "CWE-203",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-15132",
              "Impact": "Low",
              "Public": "20190817"
            },
            {
              "ID": "CVE-2020-15803",
              "CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "CWE": "CWE-79",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-15803",
              "Impact": "Low",
              "Public": "20200717"
            },
            {
              "ID": "CVE-2021-27927",
              "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "CWE": "CWE-352",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-27927",
              "Impact": "High",
              "Public": "20210303"
            },
            {
              "ID": "CVE-2022-23132",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "CWE": "CWE-732",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-23132",
              "Impact": "High",
              "Public": "20220113"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:container:11"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:3001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862001",
                "Comment": "zabbix-agent is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862002",
                "Comment": "zabbix-agent-sudo is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862003",
                "Comment": "zabbix-common is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862004",
                "Comment": "zabbix-common-database-mysql is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862005",
                "Comment": "zabbix-common-database-pgsql is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862006",
                "Comment": "zabbix-common-database-sqlite3 is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862007",
                "Comment": "zabbix-contrib is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862008",
                "Comment": "zabbix-doc is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862009",
                "Comment": "zabbix-java-gateway is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862010",
                "Comment": "zabbix-phpfrontend-apache2 is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862011",
                "Comment": "zabbix-phpfrontend-apache2-mod_php7 is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862012",
                "Comment": "zabbix-phpfrontend-engine is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862013",
                "Comment": "zabbix-phpfrontend-php7 is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862014",
                "Comment": "zabbix-proxy is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862015",
                "Comment": "zabbix-proxy-common is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862016",
                "Comment": "zabbix-proxy-pgsql is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862017",
                "Comment": "zabbix-server-common is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862018",
                "Comment": "zabbix-server-mysql is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862019",
                "Comment": "zabbix-server-pgsql is earlier than 1:4.2.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20191862020",
                "Comment": "zabbix-source is earlier than 1:4.2.1-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}