6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.032 Low
EPSS
Percentile
91.2%
The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before
4.0.1 allows remote authenticated users to bypass authorization checks, and
trigger execution of arbitrary programs by this process, via an (a) custom
form or a (b) browser addon.
Author | Note |
---|---|
mdeslaur | Nagios 1.x doesn’t have the CHANGE commands, so authenticated users wouldn’t be able to trigger arbitrary programs. They could bypass authorization checks by submitting commands with linefeeds though. Also see CVE-2008-6373 |
bugs.launchpad.net/ubuntu/+source/nagios3/+bug/301542
launchpad.net/bugs/cve/CVE-2008-5027
nvd.nist.gov/vuln/detail/CVE-2008-5027
security-tracker.debian.org/tracker/CVE-2008-5027
ubuntu.com/security/notices/USN-698-1
ubuntu.com/security/notices/USN-698-2
ubuntu.com/security/notices/USN-698-3
www.cve.org/CVERecord?id=CVE-2008-5027