Vulnerability identifier: #VU14605

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-16146

CWE-ID: CWE-77

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Opsview Monitor
Client/Desktop applications / Software for system administration

Vendor: Opsview

Description
The disclosed vulnerability allows a local administrative attacker to execute arbitrary commands on the target system.

The vulnerability exists due to the 'value' parameter is not properly sanitized. A local attacker can access a Opsview Web Management console functionality, test notifications that are triggered under certain configurable events and execute arbitrary commands with nagios' user privileges.

Mitigation
The vulnerability has been fixed in the versions 5.3.1, 5.4.2, 6.0.

Vulnerable software versions

Opsview Monitor: 5.2 - 5.4

---

External links
http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.