SB2018053107 - Multiple vulnerabilities in Nagios
Published: May 31, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) SQL-injection (CVE-ID: CVE-2018-8733)
The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.
The vulnerability exists due to authentication bypass vulnerability in the core config manager. A remote attacker can send a specially crafted HTTP request to vulnerable script, bypass authentication and execute arbitrary SQL commands in web application database.
Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.
2) SQL-injection (CVE-ID: CVE-2018-8734)
The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.
The vulnerability exists due to insufficient validation of user-supplied input passed via the selInfoKey1 parameter. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.
Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.
3) OS command injection (CVE-ID: CVE-2018-8735)
The vulnerability allows a remote attacker to execute shell commands on the target system.The weakness exists due to incorrect processing of the user’s input data in the certain parameter. A remote attacker can inject and execute arbitrary shell commands with root privileges.
4) Privilege escalation (CVE-ID: CVE-2018-8736)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to insufficient privileges and access controls. A local attacker can gain root privileges and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.