Permissions, Privileges, and Access Controls in Nagios - CVE-2013-2214
Published: February 11, 2014 / Updated: August 10, 2020
Vulnerability identifier: #VU42050
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-2214
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: nagios.org
Affected software:
Nagios
Nagios
Detailed vulnerability description
The vulnerability allows a remote #AU# to gain access to sensitive information.
status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2) summary, or (3) grid style in status.cgi. NOTE: this behavior is by design in most 3.x versions, but the upstream vendor "decided to change it for Nagios 4" and 3.5.1.
How to mitigate CVE-2013-2214
Install update from vendor's website.