1. CVE-Search
  2. CVE-2012-6086
ID CVE-2012-6086
Summary libs/zbxmedia/eztexting.c in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.8rc1, and 2.1.x before 2.1.2 does not properly set the CURLOPT_SSL_VERIFYHOST option for libcurl, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References
Vulnerable Configurations
  • cpe:2.3:a:zabbix:zabbix:1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:1.8.10:rc1:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:1.8.10:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:1.8.10:rc2:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:1.8.10:rc2:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:1.8.15:rc1:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:1.8.15:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:1.8.16:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:1.8.16:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.0:rc6:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.0:rc6:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.1:rc1:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.1:rc1:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.1:rc2:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.1:rc2:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:zabbix:zabbix:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:zabbix:zabbix:2.1.1:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 18-08-2016 - 14:48)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
refmap via4
bid 57103
confirm https://support.zabbix.com/browse/ZBX-5924
mlist [oss-security] 20130103 Re: CVE request: Curl insecure usage
Last major update 18-08-2016 - 14:48
Published 29-01-2014 - 18:55
Last modified 18-08-2016 - 14:48
Back to Top