CVE-2024-55573

Vulnerability

A SQL injection vulnerability exists in the centreon-web component of Centreon, affecting versions 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, and 23.04.x before 23.04.24 [1]. The flaw resides in the form used to create virtual metrics on the central server, where an authenticated user with high privileges can inject malicious SQL statements [1].

Exploitation

An attacker must be an authenticated user with high privileges and have the rights to create a virtual metric [1]. The attack is network-based (AV:N), requires low complexity (AC:L), and no user interaction (UI:N) [1]. The attacker injects SQL payloads into the virtual metric creation form, which is then executed by the database backend [1].

Impact

Successful exploitation leads to complete compromise of confidentiality, integrity, and availability (CIA), as indicated by a CVSS v3.1 base score of 9.1 (Critical) with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H [1]. The impact is escalated to other components (scope changed, S:C), meaning an attacker could read, modify, or delete any data in the database, and potentially gain further access to the Centreon server [1].

Mitigation

Centreon has released fixed versions for all supported branches: Centreon Web 24.10.3, 24.04.9, 23.10.19, and 23.04.24 [1]. These updates are available through the official Centreon release page [2]. Users must upgrade to the patched versions to remediate the vulnerability. No workaround is documented; upgrading is the recommended action [1].