CVE-2020-13252

Опубликовано: 21 мая 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 9

EPSS Низкий

Описание

Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.

Ссылки

https://engindemirbilek.github.io/centreon-19.10-rce
Exploit
Third Party Advisory
https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/centreon-19.10-rce.html
Exploit
Third Party Advisory
https://github.com/centreon/centreon/compare/19.04.13...19.04.15
Patch
Third Party Advisory
https://github.com/centreon/centreon/pull/8467
Patch
Third Party Advisory
https://engindemirbilek.github.io/centreon-19.10-rce
Exploit
Third Party Advisory
https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/centreon-19.10-rce.html
Exploit
Third Party Advisory
https://github.com/centreon/centreon/compare/19.04.13...19.04.15
Patch
Third Party Advisory
https://github.com/centreon/centreon/pull/8467
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:centreon:centreon:*:*:*:*:*:*:*:*

Версия от 19.04.0 (включая) до 19.04.15 (исключая)

EPSS

Процентиль: 87%

0.0362

Низкий

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-jmgg-wx67-7qfv