CVE-2008-5028
Published: 10 November 2008
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests.
Notes
| Author | Note |
|---|---|
| mdeslaur | Nagios 1.x doesn't have the CMD_CHANGE commands, so remote attackers wouldn't be able to trigger arbitrary programs. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
nagios Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(2:1.3-cvs.20050402-8ubuntu7)
|
| gutsy |
Not vulnerable
(2:1.4-3.1ubuntu1)
|
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
nagios2 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| gutsy |
Ignored
(end of life, was needed)
|
|
| hardy |
Released
(2.11-1ubuntu1.4)
|
|
| intrepid |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
nagios3 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| gutsy |
Does not exist
|
|
| hardy |
Does not exist
|
|
| intrepid |
Released
(3.0.2-1ubuntu1.1)
|
|
| upstream |
Released
(3.0.6)
|
|
|
Patches: upstream: http://git.op5.org/git/?p=nagios.git;a=commitdiff;h=9c2a418ab4f6e4ef3a53ddcde402fe4781caa764 (proposed fix) upstream: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&r2=1.110 (temporary patch) |
||