CVE-2025-27231 | THREATINT

Description

The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change.

PUBLISHED Reserved 2025-02-20 | Published 2025-10-03 | Updated 2025-10-03 | Assigner Zabbix

MEDIUM: 4.3CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-522: Insufficiently Protected Credentials

Product status

Default status

unknown

6.0.0 (git)

affected

7.0.0 (git)

affected

7.2.0 (git)

affected

7.4.0 (git)

affected

Credits

Zabbix wants to thank Vladislav Volozhenko for finding and reporting this issue. reporter

References

support.zabbix.com/browse/ZBX-27062

cve.org (CVE-2025-27231)

nvd.nist.gov (CVE-2025-27231)

Download JSON