Information disclosure in Centreon



Published: 2019-10-08 | Updated: 2020-07-06
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-17104
CWE-ID CWE-565
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Centreon
Web applications / Remote management & hosting panels

Vendor Centreon

Security Bulletin

This security bulletin contains information about 1 vulnerabilities.

Updated: 30.01.2020

Updated list of affected versions.

Updated: 06.07.2020

Changed bulletin status to patched, lowered severity rating of this issue.

1) Reliance on Cookies without Validation and Integrity Checking

EUVDB-ID: #VU22317

Risk: Low

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-17104

CWE-ID: CWE-565 - Reliance on Cookies without Validation and Integrity Checking

Exploit availability: No

Description

The vulnerability allows a remote attacker to access sensitive information on the target system.

The vulnerability exists due to the cookie configuration within the Apache HTTP Server does not have protection against theft because the HTTPOnly flag is not set. A remote attacker can eavesdropping cookies on the network and obtain sensitive information.

Mitigation

The vendor will update documentation oh how to configure HTTPS on a virtual machine.

Vulnerable software versions

Centreon: 2.4.0 - 19.10.5

External links

http://www.openwall.com/lists/oss-security/2019/10/09/2
http://www.openwall.com/lists/oss-security/2019/10/08/1
http://github.com/centreon/centreon/issues/7097


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###