CVE-2020-13977
Description
In Nagios 4.4.5, an attacker with administrative access can exploit the 'URL for JSON CGIs' setting to inject malicious code into Alert Histogram and Trends via crafted CGI files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Nagios 4.4.5, an attacker with administrative access can exploit the 'URL for JSON CGIs' setting to inject malicious code into Alert Histogram and Trends via crafted CGI files.
Vulnerability
Nagios 4.4.5 is affected by a vulnerability in the 'URL for JSON CGIs' configuration setting, as described in the CVE and referenced advisories [1][2][3][4]. An attacker with administrative privileges can modify this setting to point to crafted versions of archivejson.cgi, objectjson.cgi, and statusjson.cgi files, thereby altering the Alert Histogram and Trends code.
Exploitation
The attacker must already have administrative access to the Nagios system to change the 'URL for JSON CGIs' configuration setting. Once this setting is modified, the attacker can supply malicious CGI files that are executed when the Alert Histogram and Trends features are accessed. No additional user interaction or network position is required beyond administrative privileges.
Impact
Successful exploitation allows the attacker to modify the Alert Histogram and Trends code, potentially leading to arbitrary code execution with the privileges of the Nagios process. This could result in full compromise of the Nagios server and the data it monitors.
Mitigation
No official fix version has been disclosed in the available references. Users should monitor the Nagios Core changelog [4] for updates. As a workaround, restrict administrative access to trusted users only and review the 'URL for JSON CGIs' setting for unauthorized changes.
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H7T6MSDWMBJEVVFSOK7DOYJJWDAFQCEQ/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5P6NHNG2SJAM6DXVTXQH3AOJ4WQVKJUE/
- Nagios Core 4.x Changelog | Nagios Open Source
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- Nagios/Nagiosdescription
- Range: = 4.4.5
- osv-coords3 versionspkg:rpm/opensuse/nagios&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/nagios&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nagios&distro=SUSE%20Package%20Hub%2015%20SP2
< 4.4.6-lp152.2.3.1+ 2 more
- (no CPE)range: < 4.4.6-lp152.2.3.1
- (no CPE)range: < 4.4.6-2.5
- (no CPE)range: < 4.4.6-bp152.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P6NHNG2SJAM6DXVTXQH3AOJ4WQVKJUE/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H7T6MSDWMBJEVVFSOK7DOYJJWDAFQCEQ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/mitrevendor-advisoryx_refsource_FEDORA
- anhtai.me/nagios-core-4-4-5-url-injection/mitrex_refsource_MISC
- github.com/sawolf/nagioscore/tree/url-injection-fixmitrex_refsource_MISC
- www.nagios.org/projects/nagios-core/history/4x/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.