Vulnerability identifier: #VU14605
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-77
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Opsview Monitor
Client/Desktop applications /
Software for system administration
Vendor: Opsview
Description
The disclosed vulnerability allows a local administrative attacker to execute arbitrary commands on the target system.
The vulnerability exists due to the 'value' parameter is not properly sanitized. A local attacker can access a Opsview Web Management console functionality, test notifications that are triggered under certain configurable events and execute arbitrary commands with nagios' user privileges.
Mitigation
The vulnerability has been fixed in the versions 5.3.1, 5.4.2, 6.0.
Vulnerable software versions
Opsview Monitor: 5.2 - 5.4
External links
http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.