GoogleOSV:GHSA-C4FJ-3WQQ-G9C9Centreon Command Injection
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.011 Low
EPSS
Percentile
84.2%
The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (offending file deleted in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter.
| CPE | Name | Operator | Version |
|---|---|---|---|
| centreon/centreon | eq | 2.7.3 |
References
packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html
forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb
github.com/centreon/centreon-archived
github.com/centreon/centreon-archived/commit/387dffdd051dbc7a234e1138a9d06f3089bb55bb
github.com/centreon/centreon-archived/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a
github.com/centreon/centreon-archived/pull/7083
github.com/centreon/centreon-archived/pull/7271
nvd.nist.gov/vuln/detail/CVE-2015-1561
web.archive.org/web/20201125112637/www.securityfocus.com/archive/1/535961/100/0/threaded
Related
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.011 Low
EPSS
Percentile
84.2%