Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNGZqLTN3cXEtZzljOc4AATSa
Centreon Command Injection
The escape_command
function in include/Administration/corePerformance/getStats.php
in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (offending file deleted in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id
parameter.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNGZqLTN3cXEtZzljOc4AATSa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-c4fj-3wqq-g9c9, CVE-2015-1561
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-1561
- https://forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb
- http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html
- https://github.com/centreon/centreon-archived/pull/7083
- https://github.com/centreon/centreon-archived/pull/7271
- https://github.com/centreon/centreon-archived/commit/387dffdd051dbc7a234e1138a9d06f3089bb55bb
- https://github.com/centreon/centreon-archived/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a
- https://web.archive.org/web/20201125112637/http://www.securityfocus.com/archive/1/535961/100/0/threaded
- https://github.com/advisories/GHSA-c4fj-3wqq-g9c9
Blast Radius: 4.1
Affected Packages
packagist:centreon/centreon
Dependent packages: 0Dependent repositories: 3
Downloads: 13,599 total
Affected Version Ranges: < 2.8.28
Fixed in: 2.8.28
All affected versions: 2.7.3
All unaffected versions: 2.99.1, 2.99.2, 2.99.3, 2.99.4, 2.99.5, 18.10.6, 18.10.7, 18.10.8, 18.10.9, 18.10.10, 18.10.11, 18.10.12, 19.4.2, 19.4.3, 19.4.4, 19.4.5, 19.4.6, 19.4.7, 19.4.8, 19.4.9, 19.4.10, 19.4.11, 19.4.12, 19.4.13, 19.4.15, 19.4.16, 19.4.17, 19.4.18, 19.4.19, 19.4.20, 19.10.0, 19.10.1, 19.10.2, 19.10.3, 19.10.4, 19.10.5, 19.10.6, 19.10.7, 19.10.8, 19.10.9, 19.10.10, 19.10.12, 19.10.13, 19.10.14, 19.10.15, 19.10.16, 19.10.17, 19.10.18, 19.10.19, 19.10.20, 19.10.21, 19.10.22, 19.10.23, 20.4.0, 20.4.2, 20.4.3, 20.4.4, 20.4.6, 20.4.7, 20.4.8, 20.4.9, 20.4.10, 20.4.11, 20.4.12, 20.4.13, 20.4.14, 20.4.15, 20.4.16, 20.4.17, 20.4.18, 20.4.19, 20.4.20, 20.10.0, 20.10.1, 20.10.2, 20.10.3, 20.10.4, 20.10.5, 20.10.6, 20.10.7, 20.10.8, 20.10.9, 20.10.10, 20.10.11, 20.10.12, 20.10.13, 20.10.14, 20.10.15, 20.10.16, 20.10.17, 20.10.18, 21.4.0, 21.4.1, 21.4.2, 21.4.3, 21.4.4, 21.4.5, 21.4.6, 21.4.7, 21.4.8, 21.4.9, 21.4.10, 21.4.11, 21.4.12, 21.4.13, 21.4.14, 21.4.15, 21.4.16, 21.4.17, 21.4.18, 21.4.19, 21.4.20, 21.10.0, 21.10.1, 21.10.2, 21.10.3, 21.10.4, 21.10.5, 21.10.6, 21.10.7, 21.10.8, 21.10.9, 21.10.10, 21.10.11, 21.10.12, 21.10.13, 22.4.0, 22.4.1, 22.4.2, 22.4.3, 22.4.4, 22.4.5, 22.4.6, 22.4.7, 22.10.0, 22.10.1, 22.10.2