Nagios XI 5.2.6 < 5.2.9 / 5.3 / 5.4 Multiple vulnerabilities

Authors:jared Arave         Risk:High

CVE:CVE-2018-8733          0day:SQL injection

CVE:CVE-2018-8734          0day:SQL injection

CVE:CVE-2018-8735          0day:OS command injection

CVE:CVE-2018-8736          0day:Chained Remote Root

0day -id:0DAY-176127        Date:2018-05-02

Description

These vulnerabilities together result in NagiosXI being vulnerable to an unauthenticated remote root command injection.

CVE-2018-8733

Authentication bypass vulnerability in the core config manager in
Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated
attacker to make configuration changes and leverage an authenticated
SQL injection vulnerability.

CVE-2018-8734

SQL injection vulnerability in the core config manager in Nagios XI
5.2.x through 5.4.x before 5.4.13 allows an attacker to execute
arbitrary SQL commands via the selInfoKey1 parameter.

CVE-2018-8735

Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through
5.4.x before 5.4.13 allows an attacker to execute arbitrary commands
on the target system, aka OS command injection.

CVE-2018-8736

A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x
before 5.4.13 allows an attacker to leverage an RCE vulnerability
escalating to root.

Leave a Reply