#VU21082 Stack-based buffer overflow


Published: 2019-09-12

Vulnerability identifier: #VU21082

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2019-13486

CWE-ID: CWE-121

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Xymon
Web applications / Remote management & hosting panels

Vendor: GNU

Description

The vulnerability allows a remote attacker to access or modify data, or cause a denial of service (DoS) condition on an affected system.

The vulnerability exists in the status-log viewer component due to a boundary error in the "svcstatus.c" file because the software does not properly validate user-supplied input. A remote unauthenticated attacker can submit malicious input, trigger stack-based buffer overflow and access or modify data, or cause a DoS condition on the affected system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Xymon: 4.0.0 - 4.3.28


CPE

External links
http://github.com/svn2github/xymon/blob/master/branches/4.3.28/web/svcstatus.c
http://lists.debian.org/debian-lts-announce/2019/08/msg00032.html
http://lists.xymon.com/archive/2019-July/046570.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability