Ubuntu.comUB:CVE-2013-2214CVE-2013-2214
4 Medium
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
53.0%
status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not
properly restrict access to certain users that are a contact for a service,
which allows remote authenticated users to obtain sensitive information
about hostnames via the servicegroup (1) overview, (2) summary, or (3) grid
style in status.cgi. NOTE: this behavior is by design in most 3.x versions,
but the upstream vendor “decided to change it for Nagios 4” and 3.5.1.
Bugs
- <http://tracker.nagios.org/view.php?id=456>
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714171>
Notes
| Author | Note |
|---|---|
| seth-arnold | Icinga asserts not-affected despite reports to the contrary |
| mdeslaur | this CVE has been rejected: http://www.openwall.com/lists/oss-security/2013/08/02/3 |
References
www.mail-archive.com/[email protected]/msg39784.html
www.openwall.com/lists/oss-security/2013/06/26/6
launchpad.net/bugs/cve/CVE-2013-2214
nvd.nist.gov/vuln/detail/CVE-2013-2214
security-tracker.debian.org/tracker/CVE-2013-2214
www.cve.org/CVERecord?id=CVE-2013-2214
www.icinga.org/2013/06/27/cve-2013-2214-not-valid-for-icinga-classic-ui/
Related
4 Medium
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
53.0%