CVE-2021-27927

Name of the Vulnerable Software and Affected Versions Zabbix versions 4.0.x through 4.0.28rc1 Zabbix versions 5.0.0alpha1 through 5.0.10rc1 Zabbix versions 5.2.x through 5.2.6rc1 Zabbix versions 5.4.0alpha1 through 5.4.0beta2

Description The issue is related to a lack of CSRF protection mechanism in the CControllerAuthenticationUpdate controller, which calls diableSIDValidation inside the init() method. This allows a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The attacker does not need to know the Zabbix user's login credentials but must know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

Recommendations For Zabbix versions 4.0.x through 4.0.28rc1, update to version 4.0.28rc1 or later. For Zabbix versions 5.0.0alpha1 through 5.0.10rc1, update to version 5.0.10rc1 or later. For Zabbix versions 5.2.x through 5.2.6rc1, update to version 5.2.6rc1 or later. For Zabbix versions 5.4.0alpha1 through 5.4.0beta2, update to version 5.4.0beta2 or later. As a temporary workaround, consider restricting access to the CControllerAuthenticationUpdate controller until a patch is available. Avoid using the diableSIDValidation function inside the init() method in the affected API endpoint until the issue is resolved.