rpm package
opensuse/nagios&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/nagios&distro=openSUSE%20Tumbleweed
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-13977 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Jun 9, 2020 | Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerab | ||
| CVE-2019-3698 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Feb 28, 2020 | UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue | ||
| CVE-2018-18245 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Dec 17, 2018 | Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE. | ||
| CVE-2016-8641 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Aug 1, 2018 | A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possib | ||
| CVE-2018-13441 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Jul 12, 2018 | qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. | ||
| CVE-2017-12847 | Med | 6.3 | < 4.4.6-2.5 | 4.4.6-2.5 | Aug 23, 2017 | Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat | |
| CVE-2016-0726 | Cri | 9.8 | < 4.4.6-2.5 | 4.4.6-2.5 | Jun 6, 2017 | The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials. | |
| CVE-2016-6209 | Med | 6.1 | < 4.4.6-2.5 | 4.4.6-2.5 | Mar 31, 2017 | Cross-site scripting (XSS) vulnerability in Nagios. | |
| CVE-2016-9566 | Hig | 7.8 | < 4.4.6-2.5 | 4.4.6-2.5 | Dec 15, 2016 | base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. | |
| CVE-2014-1878 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Feb 28, 2014 | Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cm | ||
| CVE-2013-2214 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Feb 10, 2014 | status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2) summa | ||
| CVE-2013-7108 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Jan 15, 2014 | Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in th | ||
| CVE-2013-4214 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Nov 23, 2013 | rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache. | ||
| CVE-2011-1523 | — | < 4.4.6-2.5 | 4.4.6-2.5 | May 3, 2011 | Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter. | ||
| CVE-2008-4796 | — | < 4.4.6-2.5 | 4.4.6-2.5 | Oct 30, 2008 | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metachar | ||
| CVE-2007-5803 | — | < 4.4.6-2.5 | 4.4.6-2.5 | May 13, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360. | ||
| CVE-2006-2162 | — | < 4.4.6-2.5 | 4.4.6-2.5 | May 3, 2006 | Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. |
- CVE-2020-13977Jun 9, 2020affected < 4.4.6-2.5fixed 4.4.6-2.5
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerab
- CVE-2019-3698Feb 28, 2020affected < 4.4.6-2.5fixed 4.4.6-2.5
UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue
- CVE-2018-18245Dec 17, 2018affected < 4.4.6-2.5fixed 4.4.6-2.5
Nagios Core 4.4.2 has XSS via the alert summary reports of plugin results, as demonstrated by a SCRIPT element delivered by a modified check_load plugin to NRPE.
- CVE-2016-8641Aug 1, 2018affected < 4.4.6-2.5fixed 4.4.6-2.5
A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possib
- CVE-2018-13441Jul 12, 2018affected < 4.4.6-2.5fixed 4.4.6-2.5
qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
- affected < 4.4.6-2.5fixed 4.4.6-2.5
Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat
- affected < 4.4.6-2.5fixed 4.4.6-2.5
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
- affected < 4.4.6-2.5fixed 4.4.6-2.5
Cross-site scripting (XSS) vulnerability in Nagios.
- affected < 4.4.6-2.5fixed 4.4.6-2.5
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
- CVE-2014-1878Feb 28, 2014affected < 4.4.6-2.5fixed 4.4.6-2.5
Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cm
- CVE-2013-2214Feb 10, 2014affected < 4.4.6-2.5fixed 4.4.6-2.5
status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2) summa
- CVE-2013-7108Jan 15, 2014affected < 4.4.6-2.5fixed 4.4.6-2.5
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in th
- CVE-2013-4214Nov 23, 2013affected < 4.4.6-2.5fixed 4.4.6-2.5
rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache.
- CVE-2011-1523May 3, 2011affected < 4.4.6-2.5fixed 4.4.6-2.5
Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter.
- CVE-2008-4796Oct 30, 2008affected < 4.4.6-2.5fixed 4.4.6-2.5
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metachar
- CVE-2007-5803May 13, 2008affected < 4.4.6-2.5fixed 4.4.6-2.5
Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360.
- CVE-2006-2162May 3, 2006affected < 4.4.6-2.5fixed 4.4.6-2.5
Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header.