CVE-2024-33854

Vulnerability

CVE-2024-33854 is a SQL injection vulnerability located in the Graph Template component of Centreon Web [1]. The issue affects versions 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23 [1]. An authenticated attacker can exploit insufficient input validation within the Graph Template feature to inject arbitrary SQL commands into backend queries [1].

Exploitation

An attacker requires valid credentials for the Centreon Web interface and network access to the application [1]. By crafting malicious input in the Graph Template parameters, the attacker can submit specially formed requests that bypass intended query constraints [1]. No user interaction beyond sending the crafted request is needed, and the attack does not require a race condition [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements on the Centreon database [1]. This can lead to unauthorized read, modification, or deletion of sensitive monitoring data and configuration, potentially compromising the entire Centreon platform [1]. The impact is rated as severe because the database contains credentials and operational metrics [1].

Mitigation

Centreon has released fixed versions: Centreon Web 24.04.3, 23.10.13, 23.04.19, and 22.10.23 [1][2]. All users on supported versions should upgrade immediately. For unsupported versions, upgrading to the latest 24.04 release is strongly recommended [1]. Centreon Cloud platforms are already updated and not affected [1].