CVE-2024-33852

Vulnerability

CVE-2024-33852 is a SQL injection vulnerability in the Downtime component of Centreon Web. It affects Centreon Web versions 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23 [1]. The vulnerability exists in the handling of downtime-related input, which is not properly sanitized before being used in SQL queries.

Exploitation

An attacker does not require authentication to exploit this vulnerability [1]. The exploit vector is a network-based attack where the attacker sends specially crafted HTTP requests to the Centreon Web interface, injecting malicious SQL statements into the parameters processed by the Downtime component. The vulnerability can be triggered without user interaction.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized access to sensitive data, modification of database records, and potentially full compromise of the Centreon application [1]. The Centreon security bulletin notes that the impact is severe, especially if the web interface is exposed to the internet [1].

Mitigation

Centreon has released fixed versions: Centreon Web 24.04.3, 23.10.13, 23.04.19, and 22.10.23 [1]. These updates contain cumulative fixes for all reported SQL injection vulnerabilities. Users running unsupported versions are strongly advised to upgrade to version 24.04 [1]. Centreon Cloud platforms have already been updated. No workarounds are mentioned in the available references [1].