CVE-2024-32501

Vulnerability

A SQL injection vulnerability exists in the updateServiceHost functionality of Centreon Web. All on-premise versions prior to the fixes are affected: Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23 [2]. The vulnerability allows an attacker to inject arbitrary SQL queries via crafted input to the updateServiceHost endpoint.

Exploitation

An attacker must have authenticated access to the Centreon Web interface. With network access and valid credentials, the attacker can craft malicious SQL statements in the parameters of the updateServiceHost request. This can be done without special privileges beyond a standard user account [2]. The attack does not require user interaction beyond the initial login.

Impact

Successful exploitation enables the attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized data access, modification, or deletion, potentially compromising the entire Centreon platform. The impact is considered severe, particularly if the Centreon instance is exposed to the internet [2].

Mitigation

The vulnerability is fixed in Centreon Web versions 24.04.3, 23.10.13, 23.04.19, and 22.10.23 [2]. Users running unsupported versions should upgrade to the latest supported release (e.g., 24.04). Centreon Cloud platforms have been automatically updated. No workaround is available; applying the patch is the only mitigation [2].