Information disclosure in Centreon



Published: 2019-10-08 | Updated: 2020-07-06
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-17104
CWE ID CWE-565
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Centreon
Web applications / CMS

Vendor Centreon

Security Advisory

Updated: 30.01.2020

Updated list of affected versions.

Updated: 06.07.2020

Changed bulletin status to patched, lowered severity rating of this issue.

1) Reliance on Cookies without Validation and Integrity Checking

Risk: Low

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-17104

CWE-ID: CWE-565 - Reliance on Cookies without Validation and Integrity Checking

Exploit availability: No

Description

The vulnerability allows a remote attacker to access sensitive information on the target system.

The vulnerability exists due to the cookie configuration within the Apache HTTP Server does not have protection against theft because the HTTPOnly flag is not set. A remote attacker can eavesdropping cookies on the network and obtain sensitive information.

Mitigation

The vendor will update documentation oh how to configure HTTPS on a virtual machine.

Vulnerable software versions

Centreon: 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.11, 2.7.12, 2.7.13, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.8.13, 2.8.14, 2.8.15, 2.8.16, 2.8.17, 2.8.18, 2.8.19, 2.8.20, 2.8.21, 2.8.22, 2.8.23, 2.8.24, 2.8.25, 2.8.26, 2.8.27, 2.8.28, 2.8.29, 2.8.31, 2.8.216, 2.99.1, 2.99.2, 2.99.3, 2.99.4, 2.99.5, 18.10.0, 18.10.1, 18.10.2, 18.10.3, 18.10.4, 18.10.5, 18.10.6, 18.10.7, 18.10.9, 18.10.10, 19.04.0, 19.04.1, 19.04.2, 19.04.3, 19.04.5, 19.04.7, 19.04.8, 19.10.2, 19.10.3, 19.10.4, 19.10.5

CPE External links

https://www.openwall.com/lists/oss-security/2019/10/09/2
https://www.openwall.com/lists/oss-security/2019/10/08/1
https://github.com/centreon/centreon/issues/7097

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###