CVE-2018-11587
Description
Remote Code Execution in Centreon 3.4.6 / Centreon Web 2.8.23 via a crafted RPN value in the Virtual Metric form.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote Code Execution in Centreon 3.4.6 / Centreon Web 2.8.23 via a crafted RPN value in the Virtual Metric form.
Vulnerability
A remote code execution vulnerability exists in Centreon 3.4.6 and Centreon Web 2.8.23. The flaw resides in the centreonGraph.class.php file, specifically in how the application handles the RPN (Reverse Polish Notation) value within the Virtual Metric form. An attacker can inject arbitrary commands via the RPN input, which is then passed unsanitized to the rrdtool command line [1][2][3]. The vulnerability affects the initCurveList method, where the RPN string is directly concatenated into the RRDtool CDEF argument [1].
Exploitation
An attacker must have authenticated access to the Centreon web interface with sufficient privileges to create or modify Virtual Metrics. No network-level access beyond the web UI is required. The attacker submits a malicious RPN expression (e.g., containing backticks or shell metacharacters) in the Virtual Metric form. This input is not sanitized and is passed to the rrdtool command line, allowing arbitrary command execution [1][3]. Proof-of-concept code was publicly disclosed shortly after the advisory [3].
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands with the privileges of the web server process (typically www-data or apache). This can lead to full compromise of the Centreon server, including data exfiltration, lateral movement, and further attacks on the monitored infrastructure [2][4].
Mitigation
The vulnerability is fixed in Centreon Web version 2.8.24, released on June 25, 2018 [2][4]. The fix was implemented via pull request #6263, which sanitizes the RPN input before building the rrdtool command line [1][3]. Users should immediately upgrade to Centreon Web 2.8.24 or later. No workaround is available for unpatched versions. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update.
- fix(sec): Fix execution command by rrdtool command line by leoncx · Pull Request #6263 · centreon-archive/centreon-archived
- NVD - CVE-2018-11587
- fix(sec): Fix execution command by rrdtool command line by leoncx · Pull Request #6263 · centreon-archive/centreon-archived
- Centreon Web 2.8.24 — Centreon 19.04.0 documentation
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
centreon/centreonPackagist | >= 2.8.23, < 2.8.24 | 2.8.24 |
Affected products
1- ghsa-coords
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application improperly sanitizes RPN (Reverse Polish Notation) values used in virtual metrics, allowing arbitrary command injection."
Attack vector
An attacker can craft a malicious RPN value within the Virtual Metric form. This value is later used in the `centreonGraph.class.php` file when constructing a command line. The lack of proper sanitization allows the attacker to inject arbitrary commands that are executed by the system, leading to remote code execution.
Affected code
The vulnerability exists in the `centreonGraph.class.php` file, specifically within the `setRRDOption` method. The `displayImageFlow` method also plays a role by constructing the command line that includes the RPN values. The commit referenced in [ref_id=1] modifies the `setRRDOption` function to address this issue.
What the fix does
The patch modifies the `setRRDOption` function to properly escape values that are passed to `escapeshellarg`. This prevents the injection of malicious commands by ensuring that special characters within the RPN value are treated as literal strings rather than executable code. The fix directly addresses the code injection vulnerability by sanitizing user-supplied input before it is used in shell commands.
Preconditions
- inputA crafted RPN value must be submitted through the Virtual Metric form.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-c8qc-cp8v-prpxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11587ghsaADVISORY
- documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.24.htmlghsax_refsource_CONFIRMWEB
- github.com/centreon/centreon-archived/pull/6263ghsaWEB
- github.com/centreon/centreon-archived/pull/6263/commits/fb438e6aaf133cc5f9d25130653ba8fdc6ecf51fghsaWEB
- github.com/centreon/centreon/pull/6263mitrex_refsource_CONFIRM
- github.com/centreon/centreon/releasesmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.