Описание
Security update for icinga
This update for icinga fixes the following issues:
Update to 1.14.0
- CVE-2015-8010: Fixed XSS in the icinga classic UI (boo#952777)
- CVE-2016-8641 / CVE-2016-10089: fixed a possible symlink attack for files/dirs created by root (boo#1011630 and boo#1018047)
- CVE-2016-0726: removed the pre-configured administrative account with fixed password for the WebUI - (boo#961115)
Список пакетов
openSUSE Leap 42.3
Ссылки
- E-Mail link for openSUSE-SU-2018:3258-1
- SUSE Security Ratings
Описание
Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi.
Затронутые продукты
Ссылки
- CVE-2015-8010
- SUSE Bug 952777
Описание
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
Затронутые продукты
Ссылки
- CVE-2016-0726
- SUSE Bug 961115
Описание
Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641.
Затронутые продукты
Ссылки
- CVE-2016-10089
- SUSE Bug 1011630
- SUSE Bug 1018047
Описание
A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change.
Затронутые продукты
Ссылки
- CVE-2016-8641
- SUSE Bug 1011630
- SUSE Bug 1018047