CVE-2023-34096

2023-06-0819:15:09

CWE-22

[email protected]

web.nvd.nist.gov

thruk

cve-2023-34096

path traversal

vulnerability

security

naemon

icinga

shinken

nagios

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.039 Low

EPSS

Percentile

92.1%

JSON

Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file panorama.pm is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (.) and the slash (/). A fix is available in version 3.06.2.

Affected configurations

Vulners

NVD

Node

snithrukRange<3.06.2

CPENameOperatorVersion
thruk:thrukthruklt3.06.2

CPE	Name	Operator	Version
thruk:thruk	thruk	lt	3.06.2

CNA Affected

[
  {
    "vendor": "sni",
    "product": "Thruk",
    "versions": [
      {
        "version": "< 3.06.2",
        "status": "affected"
      }
    ]
  }
]