Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.
References
Link | Resource |
---|---|
https://engindemirbilek.github.io/centreon-19.10-rce | Exploit Third Party Advisory |
https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/centreon-19.10-rce.html | Exploit Third Party Advisory |
https://github.com/centreon/centreon/compare/19.04.13...19.04.15 | Patch Third Party Advisory |
https://github.com/centreon/centreon/pull/8467 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-05-21T03:35:00
Updated: 2020-05-21T03:35:00
Reserved: 2020-05-21T00:00:00
Link: CVE-2020-13252
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-05-21T04:15:10.693
Modified: 2020-05-21T14:18:07.437
Link: CVE-2020-13252
JSON object: View
Redhat Information
No data.
CWE