Vulnerability Note VU#298796
Centreon contains multiple vulnerabilities
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 contain multiple vulnerabilities.
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CVE-2014-3829
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to command injection due to unsafe handling of session_id and template_id variables in displayServiceStatus.php and insufficient filtering on the command_line variable. The underlying operating system is then able to interpolate special characters, allowing for arbitrary commands to be injected.
A remote unauthenticated attacker may be able to execute arbitrary OS and SQL commands.
The CERT/CC is currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Centreon||Affected||05 Sep 2014||15 Oct 2014|
CVSS Metrics (Learn More)
Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability and MaZ for the original vulnerability discovery.
This document was written by Chris King.
- CVE IDs: CVE-2014-3828 CVE-2014-3829
- Date Public: 15 Oct 2014
- Date First Published: 17 Oct 2014
- Date Last Updated: 17 Oct 2014
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.