Information Exposure Through an Error Message in LibreNMS - CVE-2023-48294

 

Information Exposure Through an Error Message in LibreNMS - CVE-2023-48294

Published: November 17, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129749
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-48294
CWE-ID: CWE-209
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in graph.php when handling graph image requests for device dashboards. A remote user can send a crafted request with a device id or hostname to disclose sensitive information.

The issue can be used to enumerate registered devices by observing whether graph output is returned or an error occurs.


How to mitigate CVE-2023-48294

Install security update from vendor's website.

Sources