Vendor
Nagios
Nagios is an open-source network and infrastructure monitoring system. It monitors hosts, services, and network devices, sending alerts when components fail and again when they recover. Originally written by Ethan Galstad in 1999 as NetSaint, it was renamed Nagios in 2002 after a trademark dispute. The name is a recursive acronym: "Nagios Ain't Gonna Insist On Sainthood."
Founded 1999
Products
6
CVEs
36
Across products
540
Status
Private
Products
6- 489 CVEs
- 29 CVEs
- 17 CVEs
- 3 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
36| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-9565 | Cri | 0.68 | 9.8 | 0.20 | Dec 15, 2016 | MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796. | |
| CVE-2014-5009 | Cri | 0.64 | 9.8 | 0.03 | Mar 31, 2017 | Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008. | |
| CVE-2008-7313 | Cri | 0.64 | 9.8 | 0.01 | Mar 31, 2017 | The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796. | |
| CVE-2016-9566 | Hig | 0.54 | 7.8 | 0.09 | Dec 15, 2016 | base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. | |
| CVE-2017-14312 | Hig | 0.51 | 7.8 | 0.00 | Sep 11, 2017 | Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account. | |
| CVE-2017-12847 | Med | 0.41 | 6.3 | 0.00 | Aug 23, 2017 | Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat /pathname/nagios.lock`" command. | |
| CVE-2016-6209 | Med | 0.40 | 6.1 | 0.01 | Mar 31, 2017 | Cross-site scripting (XSS) vulnerability in Nagios. | |
| CVE-2009-2288 | 0.10 | — | 0.93 | Jul 1, 2009 | statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters. | ||
| CVE-2013-1362 | 0.09 | — | 0.76 | Jul 9, 2013 | Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash. | ||
| CVE-2012-6096 | 0.09 | — | 0.80 | Jan 22, 2013 | Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable. | ||
| CVE-2013-7108 | 0.07 | — | 0.49 | Jan 15, 2014 | Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read. | ||
| CVE-2013-6875 | 0.05 | — | 0.20 | Nov 26, 2013 | SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php. | ||
| CVE-2011-2179 | 0.05 | — | 0.30 | Jun 14, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action. | ||
| CVE-2014-2913 | 0.04 | — | 0.19 | May 7, 2014 | Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments | ||
| CVE-2007-5198 | 0.04 | — | 0.16 | Oct 4, 2007 | Buffer overflow in the redir function in check_http.c in Nagios Plugins before 1.4.10, when running with the -f (follow) option, allows remote web servers to execute arbitrary code via Location header responses (redirects) with a large number of leading "L" characters. | ||
| CVE-2016-8641 | 0.03 | — | 0.01 | Aug 1, 2018 | A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change. | ||
| CVE-2014-4703 | 0.03 | — | 0.00 | Dec 5, 2014 | lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701. | ||
| CVE-2014-4702 | 0.00 | — | 0.00 | Dec 5, 2014 | The check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4701. | ||
| CVE-2014-4701 | 0.00 | — | 0.00 | Dec 5, 2014 | The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702. | ||
| CVE-2013-4215 | 0.00 | — | 0.00 | May 5, 2014 | The IPXPING_COMMAND in contrib/check_ipxping.c in Nagios Plugins 1.4.16 allows local users to gain privileges via a symlink attack on /tmp/ipxping/ipxping. |