CVE-2020-22345

Vulnerability

The vulnerability exists in Centreon version 19.10.8 in the file /graphStatus/displayServiceStatus.php. The RRDdatabase_path parameter is not sanitized, allowing an attacker to inject shell metacharacters, leading to OS command injection [2].

Exploitation

An attacker can send a crafted HTTP request to the vulnerable endpoint with malicious shell metacharacters in the RRDdatabase_path parameter. No authentication is required, making it remotely exploitable [2].

Impact

Successful exploitation allows arbitrary OS command execution on the server. The attacker can execute system commands with the privileges of the web server, potentially leading to full compromise of the monitoring server and access to sensitive data.

Mitigation

A fix has been proposed in a pull request [1]. Users should upgrade to a patched version of Centreon once available. As of the publication date, no official release with the fix is mentioned, but updating to the latest version is recommended. If immediate upgrade is not possible, restrict access to the vulnerable endpoint.