Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 314673 (CVE-2010-1277) - <net-analyzer/zabbix-1.8.2: SQL injection (CVE-2010-{1277,5049})
Summary: <net-analyzer/zabbix-1.8.2: SQL injection (CVE-2010-{1277,5049})
Status: RESOLVED FIXED
Alias: CVE-2010-1277
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.zabbix.com/rn1.8.2.php
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-11 13:58 UTC by Stefan Behte (RETIRED)
Modified: 2011-12-13 00:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 13:58:18 UTC 
CVE-2010-1277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1277):
  SQL injection vulnerability in the user.authenticate method in the
  API in Zabbix 1.8 before 1.8.2 allows remote attackers to execute
  arbitrary SQL commands via the user parameter in JSON data to
  api_jsonrpc.php.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 13:59:30 UTC 
We already have 1.8.2 in tree, could you remove older, vulnerable ebuilds?
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-11-27 04:06:05 UTC 
Vulnerable ebuilds removed. Closing noglsa as no vulnerable versions were marked stable.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2011-12-13 00:05:55 UTC 
CVE-2010-5049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5049):
  SQL injection vulnerability in events.php in Zabbix 1.8.1 and earlier allows
  remote attackers to execute arbitrary SQL commands via the nav_time
  parameter.