CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
EPSS
Percentile
53.0%
status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not
properly restrict access to certain users that are a contact for a service,
which allows remote authenticated users to obtain sensitive information
about hostnames via the servicegroup (1) overview, (2) summary, or (3) grid
style in status.cgi. NOTE: this behavior is by design in most 3.x versions,
but the upstream vendor “decided to change it for Nagios 4” and 3.5.1.
Author | Note |
---|---|
seth-arnold | Icinga asserts not-affected despite reports to the contrary |
mdeslaur | this CVE has been rejected: http://www.openwall.com/lists/oss-security/2013/08/02/3 |
www.mail-archive.com/[email protected]/msg39784.html
www.openwall.com/lists/oss-security/2013/06/26/6
launchpad.net/bugs/cve/CVE-2013-2214
nvd.nist.gov/vuln/detail/CVE-2013-2214
security-tracker.debian.org/tracker/CVE-2013-2214
www.cve.org/CVERecord?id=CVE-2013-2214
www.icinga.org/2013/06/27/cve-2013-2214-not-valid-for-icinga-classic-ui/