ArchLinuxASA-201905-1[ASA-201905-1] munin: arbitrary file overwrite
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
5.1%
Arch Linux Security Advisory ASA-201905-1
Severity: High
Date : 2019-05-06
CVE-ID : CVE-2017-6188
Package : munin
Type : arbitrary file overwrite
Remote : Yes
Link : https://security.archlinux.org/AVG-953
Summary
The package munin before version 2.0.47-1 is vulnerable to arbitrary
file overwrite.
Resolution
Upgrade to 2.0.47-1.
pacman -Syu “munin>=2.0.47-1”
The problem has been fixed upstream in version 2.0.47.
Workaround
None.
Description
A vulnerability in munin allows attackers to overwrite any file
accessible to the webserver user by setting multiple upper_limit GET
parameters when CGI graphs are enabled.
Impact
A remote attacker is able to overwrite arbitrary files on the
filesystem.
References
https://bugs.archlinux.org/task/57537
https://www.debian.org/security/2017/dsa-3794
https://github.com/munin-monitoring/munin/pull/797/commits/42ce18f24d3eae8be33526a198bf21e4f2330230
https://security.archlinux.org/CVE-2017-6188
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
5.1%