Search...

Fedora 20 : monitorix-3.4.0-1.fc20 (2013-22649)

2013-12-14T00:00:00

ID FEDORA_2013-22649.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2013-12-14T00:00:00

Description

3.4.0 - 02-Dec-2013 ====================

Added a complete statistical Memcached graph. [#27]

Added support for different BIND stats versions (2 and 3 right now). (thanks to Ivo Brhel, ivb AT volny.cz)

Added two new alerts in the 'disk' graph in order to know if a disk drive has exceeded or reached a threshold for reallocated and pending sectors. (suggested by Matthew Connelly, maff AT maff.im)

Added a new option called 'max_historic_years' (with a default value of 1), which enables the ability to have up to 5 years of data. Beware with this option because it generates a new '.rrd' file every time the value is extended, losing the current historical data. (suggested by Mohan Reddy, Mohan.Reddy AT analog.com)

Improved the regexp when collecting data from devices's interrupts which also fixes some annoying messages on using non-numeric arguments.

Added support for the Pure-FTPd logs in the 'serv' and 'ftp' graphs.

Added the new configuration option 'https_url'. [#31]

Fixed error messages about use of uninitialized values in 'system' graph on BSD systems.

Fixed error messages about not numeric argument in addition in 'fs' graph on BSD systems.

Fixed in 'emailreports' to use the command line 'hostname' if the variable $ENV{HOSTNAME} is not defined (Debian/Ubuntu and perhaps other systems). (thanks to Skibbi, skibbi AT gmail.com for pointing this out)

Fixed the error message 'String ends after the = sign on CDEF:allvalues=' in the 'int' graph (the Interrupts graph is pending to have a complete rewrite).

Fixed the 'int' graph in order to be more compatible with Raspberry Pi.

Fixed in 'bind.pm' to store a 0 value if threads are disabled. [#29]

Fixed to correctly sent images in graphs 'proc', 'port' and 'fail2ban' when using emailreports. (thanks to Benoit Segond von Banchet, bjm.segondvonbanchet AT telfort.nl for pointing this out)

Fixed to show the real hostname in the emailreports.

Fixed the 'int' graph in order to be compatible with Excito B3 product. (thanks to Patrick Fallberg, patrick AT fallberg.net for pointing this out)

Fixed to correctly sanitize the input string in the built-in HTTP server which led into a number of security vulnerabilities. [#30]

Fixed the lack of minimum definition in some data sources of 'bind' graph. (thanks to Andreas Itzchak Rehberg, izzy AT qumran.org for pointing this out)

Fixed a fail to adequately sanitize request strings of malicious JavaScript. [#30] (thanks to Jacob Amey, jamey AT securityinspection.com for pointing this out)

Fixed a typo in monitorix.service. [#32]

Fixed the requests value in the 'nginx' graph. Now it honours the label to show the value per second, instead of per minute. (thanks to Martin Culak, culak AT firma.azet.sk for pointing this out)

Small fixes and typos.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2013-22649.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(71416);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2013-7070", "CVE-2013-7071");
  script_bugtraq_id(63913, 64178, 64264);
  script_xref(name:"FEDORA", value:"2013-22649");

  script_name(english:"Fedora 20 : monitorix-3.4.0-1.fc20 (2013-22649)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"3.4.0 - 02-Dec-2013 ====================

  - Added a complete statistical Memcached graph. [#27]

    - Added support for different BIND stats versions (2 and
      3 right now). (thanks to Ivo Brhel, ivb AT volny.cz)

  - Added two new alerts in the 'disk' graph in order to
    know if a disk drive has exceeded or reached a threshold
    for reallocated and pending sectors. (suggested by
    Matthew Connelly, maff AT maff.im)

  - Added a new option called 'max_historic_years' (with a
    default value of 1), which enables the ability to have
    up to 5 years of data. Beware with this option because
    it generates a new '.rrd' file every time the value is
    extended, losing the current historical data. (suggested
    by Mohan Reddy, Mohan.Reddy AT analog.com)

  - Improved the regexp when collecting data from devices's
    interrupts which also fixes some annoying messages on
    using non-numeric arguments.

  - Added support for the Pure-FTPd logs in the 'serv' and
    'ftp' graphs.

    - Added the new configuration option 'https_url'. [#31]

    - Fixed error messages about use of uninitialized values
      in 'system' graph on BSD systems.

  - Fixed error messages about not numeric argument in
    addition in 'fs' graph on BSD systems.

  - Fixed in 'emailreports' to use the command line
    'hostname' if the variable $ENV{HOSTNAME} is not defined
    (Debian/Ubuntu and perhaps other systems). (thanks to
    Skibbi, skibbi AT gmail.com for pointing this out)

  - Fixed the error message 'String ends after the = sign on
    CDEF:allvalues=' in the 'int' graph (the Interrupts
    graph is pending to have a complete rewrite).

  - Fixed the 'int' graph in order to be more compatible
    with Raspberry Pi.

    - Fixed in 'bind.pm' to store a 0 value if threads are
      disabled. [#29]

    - Fixed to correctly sent images in graphs 'proc',
      'port' and 'fail2ban' when using emailreports. (thanks
      to Benoit Segond von Banchet, bjm.segondvonbanchet AT
      telfort.nl for pointing this out)

  - Fixed to show the real hostname in the emailreports.

    - Fixed the 'int' graph in order to be compatible with
      Excito B3 product. (thanks to Patrick Fallberg,
      patrick AT fallberg.net for pointing this out)

  - Fixed to correctly sanitize the input string in the
    built-in HTTP server which led into a number of security
    vulnerabilities. [#30]

  - Fixed the lack of minimum definition in some data
    sources of 'bind' graph. (thanks to Andreas Itzchak
    Rehberg, izzy AT qumran.org for pointing this out)

  - Fixed a fail to adequately sanitize request strings of
    malicious JavaScript. [#30] (thanks to Jacob Amey, jamey
    AT securityinspection.com for pointing this out)

  - Fixed a typo in monitorix.service. [#32]

    - Fixed the requests value in the 'nginx' graph. Now it
      honours the label to show the value per second,
      instead of per minute. (thanks to Martin Culak, culak
      AT firma.azet.sk for pointing this out)

  - Small fixes and typos.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1038071"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123530.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?92b47d57"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected monitorix package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:monitorix");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/12/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/14");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" &gt;!&lt; release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC20", reference:"monitorix-3.4.0-1.fc20")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "monitorix");
}

JSON Vulners Source

Initial Source

{"id": "FEDORA_2013-22649.NASL", "bulletinFamily": "scanner", "title": "Fedora 20 : monitorix-3.4.0-1.fc20 (2013-22649)", "description": "3.4.0 - 02-Dec-2013 ====================\n\n - Added a complete statistical Memcached graph. [#27]\n\n - Added support for different BIND stats versions (2 and\n 3 right now). (thanks to Ivo Brhel, ivb AT volny.cz)\n\n - Added two new alerts in the 'disk' graph in order to\n know if a disk drive has exceeded or reached a threshold\n for reallocated and pending sectors. (suggested by\n Matthew Connelly, maff AT maff.im)\n\n - Added a new option called 'max_historic_years' (with a\n default value of 1), which enables the ability to have\n up to 5 years of data. Beware with this option because\n it generates a new '.rrd' file every time the value is\n extended, losing the current historical data. (suggested\n by Mohan Reddy, Mohan.Reddy AT analog.com)\n\n - Improved the regexp when collecting data from devices's\n interrupts which also fixes some annoying messages on\n using non-numeric arguments.\n\n - Added support for the Pure-FTPd logs in the 'serv' and\n 'ftp' graphs.\n\n - Added the new configuration option 'https_url'. [#31]\n\n - Fixed error messages about use of uninitialized values\n in 'system' graph on BSD systems.\n\n - Fixed error messages about not numeric argument in\n addition in 'fs' graph on BSD systems.\n\n - Fixed in 'emailreports' to use the command line\n 'hostname' if the variable $ENV{HOSTNAME} is not defined\n (Debian/Ubuntu and perhaps other systems). (thanks to\n Skibbi, skibbi AT gmail.com for pointing this out)\n\n - Fixed the error message 'String ends after the = sign on\n CDEF:allvalues=' in the 'int' graph (the Interrupts\n graph is pending to have a complete rewrite).\n\n - Fixed the 'int' graph in order to be more compatible\n with Raspberry Pi.\n\n - Fixed in 'bind.pm' to store a 0 value if threads are\n disabled. [#29]\n\n - Fixed to correctly sent images in graphs 'proc',\n 'port' and 'fail2ban' when using emailreports. (thanks\n to Benoit Segond von Banchet, bjm.segondvonbanchet AT\n telfort.nl for pointing this out)\n\n - Fixed to show the real hostname in the emailreports.\n\n - Fixed the 'int' graph in order to be compatible with\n Excito B3 product. (thanks to Patrick Fallberg,\n patrick AT fallberg.net for pointing this out)\n\n - Fixed to correctly sanitize the input string in the\n built-in HTTP server which led into a number of security\n vulnerabilities. [#30]\n\n - Fixed the lack of minimum definition in some data\n sources of 'bind' graph. (thanks to Andreas Itzchak\n Rehberg, izzy AT qumran.org for pointing this out)\n\n - Fixed a fail to adequately sanitize request strings of\n malicious JavaScript. [#30] (thanks to Jacob Amey, jamey\n AT securityinspection.com for pointing this out)\n\n - Fixed a typo in monitorix.service. [#32]\n\n - Fixed the requests value in the 'nginx' graph. Now it\n honours the label to show the value per second,\n instead of per minute. (thanks to Martin Culak, culak\n AT firma.azet.sk for pointing this out)\n\n - Small fixes and typos.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2013-12-14T00:00:00", "modified": "2013-12-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/71416", "reporter": "This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?92b47d57", "https://bugzilla.redhat.com/show_bug.cgi?id=1038071"], "cvelist": ["CVE-2013-7071", "CVE-2013-7070"], "type": "nessus", "lastseen": "2021-01-12T10:11:30", "edition": 15, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-7071", "CVE-2013-7070"]}, {"type": "nessus", "idList": ["MONITORIX_COMMAND_EXEC.NASL", "FEDORA_2013-22677.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310867104", "OPENVAS:1361412562310867270", "OPENVAS:867270", "OPENVAS:867104"]}, {"type": "fedora", "idList": ["FEDORA:05EB022AA8", "FEDORA:3FD642207C"]}], "modified": "2021-01-12T10:11:30", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2021-01-12T10:11:30", "rev": 2}, "vulnersScore": 5.9}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-22649.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(71416);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-7070\", \"CVE-2013-7071\");\n script_bugtraq_id(63913, 64178, 64264);\n script_xref(name:\"FEDORA\", value:\"2013-22649\");\n\n script_name(english:\"Fedora 20 : monitorix-3.4.0-1.fc20 (2013-22649)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"3.4.0 - 02-Dec-2013 ====================\n\n - Added a complete statistical Memcached graph. [#27]\n\n - Added support for different BIND stats versions (2 and\n 3 right now). (thanks to Ivo Brhel, ivb AT volny.cz)\n\n - Added two new alerts in the 'disk' graph in order to\n know if a disk drive has exceeded or reached a threshold\n for reallocated and pending sectors. (suggested by\n Matthew Connelly, maff AT maff.im)\n\n - Added a new option called 'max_historic_years' (with a\n default value of 1), which enables the ability to have\n up to 5 years of data. Beware with this option because\n it generates a new '.rrd' file every time the value is\n extended, losing the current historical data. (suggested\n by Mohan Reddy, Mohan.Reddy AT analog.com)\n\n - Improved the regexp when collecting data from devices's\n interrupts which also fixes some annoying messages on\n using non-numeric arguments.\n\n - Added support for the Pure-FTPd logs in the 'serv' and\n 'ftp' graphs.\n\n - Added the new configuration option 'https_url'. [#31]\n\n - Fixed error messages about use of uninitialized values\n in 'system' graph on BSD systems.\n\n - Fixed error messages about not numeric argument in\n addition in 'fs' graph on BSD systems.\n\n - Fixed in 'emailreports' to use the command line\n 'hostname' if the variable $ENV{HOSTNAME} is not defined\n (Debian/Ubuntu and perhaps other systems). (thanks to\n Skibbi, skibbi AT gmail.com for pointing this out)\n\n - Fixed the error message 'String ends after the = sign on\n CDEF:allvalues=' in the 'int' graph (the Interrupts\n graph is pending to have a complete rewrite).\n\n - Fixed the 'int' graph in order to be more compatible\n with Raspberry Pi.\n\n - Fixed in 'bind.pm' to store a 0 value if threads are\n disabled. [#29]\n\n - Fixed to correctly sent images in graphs 'proc',\n 'port' and 'fail2ban' when using emailreports. (thanks\n to Benoit Segond von Banchet, bjm.segondvonbanchet AT\n telfort.nl for pointing this out)\n\n - Fixed to show the real hostname in the emailreports.\n\n - Fixed the 'int' graph in order to be compatible with\n Excito B3 product. (thanks to Patrick Fallberg,\n patrick AT fallberg.net for pointing this out)\n\n - Fixed to correctly sanitize the input string in the\n built-in HTTP server which led into a number of security\n vulnerabilities. [#30]\n\n - Fixed the lack of minimum definition in some data\n sources of 'bind' graph. (thanks to Andreas Itzchak\n Rehberg, izzy AT qumran.org for pointing this out)\n\n - Fixed a fail to adequately sanitize request strings of\n malicious JavaScript. [#30] (thanks to Jacob Amey, jamey\n AT securityinspection.com for pointing this out)\n\n - Fixed a typo in monitorix.service. [#32]\n\n - Fixed the requests value in the 'nginx' graph. Now it\n honours the label to show the value per second,\n instead of per minute. (thanks to Martin Culak, culak\n AT firma.azet.sk for pointing this out)\n\n - Small fixes and typos.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1038071\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123530.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?92b47d57\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected monitorix package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:monitorix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"monitorix-3.4.0-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"monitorix\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "71416", "cpe": ["p-cpe:/a:fedoraproject:fedora:monitorix", "cpe:/o:fedoraproject:fedora:20"], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T19:52:49", "description": "Cross-site scripting (XSS) vulnerability in the handle_request function in lib/HTTPServer.pm in Monitorix before 3.4.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2019-12-31T20:15:00", "title": "CVE-2013-7071", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7071"], "modified": "2020-01-08T15:07:00", "cpe": [], "id": "CVE-2013-7071", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7071", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T19:52:49", "description": "The handle_request function in lib/HTTPServer.pm in Monitorix before 3.3.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the URI.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-31T20:15:00", "title": "CVE-2013-7070", "type": "cve", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7070"], "modified": "2020-01-09T19:00:00", "cpe": [], "id": "CVE-2013-7070", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7070", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}], "nessus": [{"lastseen": "2021-01-12T10:11:30", "description": "3.4.0 - 02-Dec-2013 ====================\n\n - Added a complete statistical Memcached graph. [#27]\n\n - Added support for different BIND stats versions (2 and\n 3 right now). (thanks to Ivo Brhel, ivb AT volny.cz)\n\n - Added two new alerts in the 'disk' graph in order to\n know if a disk drive has exceeded or reached a threshold\n for reallocated and pending sectors. (suggested by\n Matthew Connelly, maff AT maff.im)\n\n - Added a new option called 'max_historic_years' (with a\n default value of 1), which enables the ability to have\n up to 5 years of data. Beware with this option because\n it generates a new '.rrd' file every time the value is\n extended, losing the current historical data. (suggested\n by Mohan Reddy, Mohan.Reddy AT analog.com)\n\n - Improved the regexp when collecting data from devices's\n interrupts which also fixes some annoying messages on\n using non-numeric arguments.\n\n - Added support for the Pure-FTPd logs in the 'serv' and\n 'ftp' graphs.\n\n - Added the new configuration option 'https_url'. [#31]\n\n - Fixed error messages about use of uninitialized values\n in 'system' graph on BSD systems.\n\n - Fixed error messages about not numeric argument in\n addition in 'fs' graph on BSD systems.\n\n - Fixed in 'emailreports' to use the command line\n 'hostname' if the variable $ENV{HOSTNAME} is not defined\n (Debian/Ubuntu and perhaps other systems). (thanks to\n Skibbi, skibbi AT gmail.com for pointing this out)\n\n - Fixed the error message 'String ends after the = sign on\n CDEF:allvalues=' in the 'int' graph (the Interrupts\n graph is pending to have a complete rewrite).\n\n - Fixed the 'int' graph in order to be more compatible\n with Raspberry Pi.\n\n - Fixed in 'bind.pm' to store a 0 value if threads are\n disabled. [#29]\n\n - Fixed to correctly sent images in graphs 'proc',\n 'port' and 'fail2ban' when using emailreports. (thanks\n to Benoit Segond von Banchet, bjm.segondvonbanchet AT\n telfort.nl for pointing this out)\n\n - Fixed to show the real hostname in the emailreports.\n\n - Fixed the 'int' graph in order to be compatible with\n Excito B3 product. (thanks to Patrick Fallberg,\n patrick AT fallberg.net for pointing this out)\n\n - Fixed to correctly sanitize the input string in the\n built-in HTTP server which led into a number of security\n vulnerabilities. [#30]\n\n - Fixed the lack of minimum definition in some data\n sources of 'bind' graph. (thanks to Andreas Itzchak\n Rehberg, izzy AT qumran.org for pointing this out)\n\n - Fixed a fail to adequately sanitize request strings of\n malicious JavaScript. [#30] (thanks to Jacob Amey, jamey\n AT securityinspection.com for pointing this out)\n\n - Fixed a typo in monitorix.service. [#32]\n\n - Fixed the requests value in the 'nginx' graph. Now it\n honours the label to show the value per second,\n instead of per minute. (thanks to Martin Culak, culak\n AT firma.azet.sk for pointing this out)\n\n - Small fixes and typos.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 15, "published": "2013-12-13T00:00:00", "title": "Fedora 19 : monitorix-3.4.0-1.fc19 (2013-22677)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-7071", "CVE-2013-7070"], "modified": "2013-12-13T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:monitorix"], "id": "FEDORA_2013-22677.NASL", "href": "https://www.tenable.com/plugins/nessus/71381", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-22677.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(71381);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-7070\", \"CVE-2013-7071\");\n script_bugtraq_id(63913, 64178, 64264);\n script_xref(name:\"FEDORA\", value:\"2013-22677\");\n\n script_name(english:\"Fedora 19 : monitorix-3.4.0-1.fc19 (2013-22677)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"3.4.0 - 02-Dec-2013 ====================\n\n - Added a complete statistical Memcached graph. [#27]\n\n - Added support for different BIND stats versions (2 and\n 3 right now). (thanks to Ivo Brhel, ivb AT volny.cz)\n\n - Added two new alerts in the 'disk' graph in order to\n know if a disk drive has exceeded or reached a threshold\n for reallocated and pending sectors. (suggested by\n Matthew Connelly, maff AT maff.im)\n\n - Added a new option called 'max_historic_years' (with a\n default value of 1), which enables the ability to have\n up to 5 years of data. Beware with this option because\n it generates a new '.rrd' file every time the value is\n extended, losing the current historical data. (suggested\n by Mohan Reddy, Mohan.Reddy AT analog.com)\n\n - Improved the regexp when collecting data from devices's\n interrupts which also fixes some annoying messages on\n using non-numeric arguments.\n\n - Added support for the Pure-FTPd logs in the 'serv' and\n 'ftp' graphs.\n\n - Added the new configuration option 'https_url'. [#31]\n\n - Fixed error messages about use of uninitialized values\n in 'system' graph on BSD systems.\n\n - Fixed error messages about not numeric argument in\n addition in 'fs' graph on BSD systems.\n\n - Fixed in 'emailreports' to use the command line\n 'hostname' if the variable $ENV{HOSTNAME} is not defined\n (Debian/Ubuntu and perhaps other systems). (thanks to\n Skibbi, skibbi AT gmail.com for pointing this out)\n\n - Fixed the error message 'String ends after the = sign on\n CDEF:allvalues=' in the 'int' graph (the Interrupts\n graph is pending to have a complete rewrite).\n\n - Fixed the 'int' graph in order to be more compatible\n with Raspberry Pi.\n\n - Fixed in 'bind.pm' to store a 0 value if threads are\n disabled. [#29]\n\n - Fixed to correctly sent images in graphs 'proc',\n 'port' and 'fail2ban' when using emailreports. (thanks\n to Benoit Segond von Banchet, bjm.segondvonbanchet AT\n telfort.nl for pointing this out)\n\n - Fixed to show the real hostname in the emailreports.\n\n - Fixed the 'int' graph in order to be compatible with\n Excito B3 product. (thanks to Patrick Fallberg,\n patrick AT fallberg.net for pointing this out)\n\n - Fixed to correctly sanitize the input string in the\n built-in HTTP server which led into a number of security\n vulnerabilities. [#30]\n\n - Fixed the lack of minimum definition in some data\n sources of 'bind' graph. (thanks to Andreas Itzchak\n Rehberg, izzy AT qumran.org for pointing this out)\n\n - Fixed a fail to adequately sanitize request strings of\n malicious JavaScript. [#30] (thanks to Jacob Amey, jamey\n AT securityinspection.com for pointing this out)\n\n - Fixed a typo in monitorix.service. [#32]\n\n - Fixed the requests value in the 'nginx' graph. Now it\n honours the label to show the value per second,\n instead of per minute. (thanks to Martin Culak, culak\n AT firma.azet.sk for pointing this out)\n\n - Small fixes and typos.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1038071\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123445.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a3114cce\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected monitorix package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:monitorix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"monitorix-3.4.0-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"monitorix\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-01T03:47:48", "description": "The remote Monitorix built-in HTTP server does not properly sanitize\nHTTP GET request strings, allowing for remote, arbitrary command\nexecution via a specially crafted HTTP request.", "edition": 23, "published": "2013-12-04T00:00:00", "title": "Monitorix Built-in HTTP Server Remote Command Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-7070"], "modified": "2021-01-02T00:00:00", "cpe": ["x-cpe:/a:monitorix:monitorix"], "id": "MONITORIX_COMMAND_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/71212", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71212);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n\n script_cve_id(\"CVE-2013-7070\");\n script_bugtraq_id(64178);\n\n script_name(english:\"Monitorix Built-in HTTP Server Remote Command Execution\");\n script_summary(english:\"Tries to exploit remote command execution vulnerability\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server is affected by a remote command execution\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Monitorix built-in HTTP server does not properly sanitize\nHTTP GET request strings, allowing for remote, arbitrary command\nexecution via a specially crafted HTTP request.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/mikaku/Monitorix/issues/30\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.monitorix.org/news.html#N331\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Monitorix 3.3.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:monitorix:monitorix\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080, embedded:TRUE);\n\nserver_name = http_server_header(port:port);\nif ('Monitorix' >!< server_name) audit(AUDIT_NOT_LISTEN, \"Monitorix HTTP Server\", port);\n\nhttp_check_remote_code(\n port:port,\n embedded:TRUE,\n check_request:\"|id|\",\n check_result:\"uid=[0-9]+.*gid=[0-9]+.*\",\n command:\"id\"\n);\naudit(AUDIT_LISTEN_NOT_VULN, \"Monitorix HTTP Server\", port);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2018-01-18T11:09:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-7072", "CVE-2013-7071", "CVE-2013-7070"], "description": "Check for the Version of monitorix", "modified": "2018-01-18T00:00:00", "published": "2013-12-17T00:00:00", "id": "OPENVAS:867104", "href": "http://plugins.openvas.org/nasl.php?oid=867104", "type": "openvas", "title": "Fedora Update for monitorix FEDORA-2013-22677", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for monitorix FEDORA-2013-22677\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867104);\n script_version(\"$Revision: 8456 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-18 07:58:40 +0100 (Thu, 18 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-17 11:38:22 +0530 (Tue, 17 Dec 2013)\");\n script_cve_id(\"CVE-2013-7070\", \"CVE-2013-7071\", \"CVE-2013-7072\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for monitorix FEDORA-2013-22677\");\n\n tag_insight = \"Monitorix is a free, open source, lightweight system monitoring tool designed\nto monitor as many services and system resources as possible. It has been\ncreated to be used under production Linux/UNIX servers, but due to its\nsimplicity and small size may also be used on embedded devices as well.\n\";\n\n tag_affected = \"monitorix on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-22677\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123445.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of monitorix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"monitorix\", rpm:\"monitorix~3.4.0~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-10T16:28:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-7072", "CVE-2013-7071", "CVE-2013-7070"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-12-17T00:00:00", "id": "OPENVAS:1361412562310867104", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867104", "type": "openvas", "title": "Fedora Update for monitorix FEDORA-2013-22677", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for monitorix FEDORA-2013-22677\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867104\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-17 11:38:22 +0530 (Tue, 17 Dec 2013)\");\n script_cve_id(\"CVE-2013-7070\", \"CVE-2013-7071\", \"CVE-2013-7072\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for monitorix FEDORA-2013-22677\");\n\n\n script_tag(name:\"affected\", value:\"monitorix on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2013-22677\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123445.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'monitorix'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"monitorix\", rpm:\"monitorix~3.4.0~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-25T10:48:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-7072", "CVE-2013-7071", "CVE-2013-7070"], "description": "Check for the Version of monitorix", "modified": "2017-07-10T00:00:00", "published": "2014-02-05T00:00:00", "id": "OPENVAS:867270", "href": "http://plugins.openvas.org/nasl.php?oid=867270", "type": "openvas", "title": "Fedora Update for monitorix FEDORA-2013-22649", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for monitorix FEDORA-2013-22649\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867270);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-05 09:35:57 +0530 (Wed, 05 Feb 2014)\");\n script_cve_id(\"CVE-2013-7070\", \"CVE-2013-7071\", \"CVE-2013-7072\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for monitorix FEDORA-2013-22649\");\n\n tag_insight = \"Monitorix is a free, open source, lightweight system monitoring tool designed\nto monitor as many services and system resources as possible. It has been\ncreated to be used under production Linux/UNIX servers, but due to its\nsimplicity and small size may also be used on embedded devices as well.\n\";\n\n tag_affected = \"monitorix on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-22649\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123530.html\");\n script_summary(\"Check for the Version of monitorix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"monitorix\", rpm:\"monitorix~3.4.0~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-10T16:27:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-7072", "CVE-2013-7071", "CVE-2013-7070"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-02-05T00:00:00", "id": "OPENVAS:1361412562310867270", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867270", "type": "openvas", "title": "Fedora Update for monitorix FEDORA-2013-22649", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for monitorix FEDORA-2013-22649\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867270\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-05 09:35:57 +0530 (Wed, 05 Feb 2014)\");\n script_cve_id(\"CVE-2013-7070\", \"CVE-2013-7071\", \"CVE-2013-7072\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for monitorix FEDORA-2013-22649\");\n script_tag(name:\"affected\", value:\"monitorix on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2013-22649\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123530.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'monitorix'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"monitorix\", rpm:\"monitorix~3.4.0~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-7070", "CVE-2013-7071", "CVE-2013-7072"], "description": "Monitorix is a free, open source, lightweight system monitoring tool design ed to monitor as many services and system resources as possible. It has been created to be used under production Linux/UNIX servers, but due to its simplicity and small size may also be used on embedded devices as well. ", "modified": "2013-12-13T05:01:57", "published": "2013-12-13T05:01:57", "id": "FEDORA:05EB022AA8", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: monitorix-3.4.0-1.fc19", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-7070", "CVE-2013-7071", "CVE-2013-7072"], "description": "Monitorix is a free, open source, lightweight system monitoring tool design ed to monitor as many services and system resources as possible. It has been created to be used under production Linux/UNIX servers, but due to its simplicity and small size may also be used on embedded devices as well. ", "modified": "2013-12-14T02:50:20", "published": "2013-12-14T02:50:20", "id": "FEDORA:3FD642207C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: monitorix-3.4.0-1.fc20", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}