#VU34362 Improper Neutralization of Special Elements in Output Used by a Downstream Component in Nagios - CVE-2020-13977


| Updated: 2020-08-08

Vulnerability identifier: #VU34362

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13977

CWE-ID: CWE-74

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Nagios
Server applications / Other server solutions

Vendor: nagios.org

Description

The vulnerability allows a remote privileged user to manipulate data.

Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Nagios: 4.4.5

External links
https://anhtai.me/nagios-core-4-4-5-url-injection/
https://github.com/sawolf/nagioscore/tree/url-injection-fix
https://www.nagios.org/projects/nagios-core/history/4x/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Fedora EPEL 7 update for nagios
Fedora EPEL 8 update for nagios
Fedora 34 update for nagios
Fedora EPEL 7 update for nagios
Fedora EPEL 8 update for nagios
Fedora 32 update for nagios
Fedora 33 update for nagios
Fedora 34 update for nagios
Fedora EPEL 7 update for nagios
Fedora EPEL 8 update for nagios