CVE-2010-1277

NameCVE-2010-1277
DescriptionSQL injection vulnerability in the user.authenticate method in the API in Zabbix 1.8 before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the user parameter in JSON data to api_jsonrpc.php.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs577058

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)jessie, jessie (lts)1:2.2.23+dfsg-0+deb8u8fixed
stretch (security)1:3.0.32+dfsg-0+deb9u3fixed
stretch (lts), stretch1:3.0.32+dfsg-0+deb9u7fixed
buster (security), buster, buster (lts)1:4.0.4+dfsg-1+deb10u5fixed
bullseye1:5.0.8+dfsg-1fixed
bullseye (security)1:5.0.44+dfsg-1+deb11u1fixed
bookworm1:6.0.14+dfsg-1fixed
sid, trixie1:7.0.5+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsourceetch(not affected)
zabbixsourcelenny(not affected)
zabbixsource(unstable)1:1.8.2-1577058

Notes

[lenny] - zabbix <not-affected> (vulnerable code not present)
[etch] - zabbix <not-affected> (vulnerable code not present)
This is a bug that was introduced with the Zabbix 1.8 API

Search for package or bug name: Reporting problems