Your submission was sent successfully! Close

CVE-2013-7108

Published: 15 January 2014

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.

Priority

Low

Status

Package Release Status
icinga
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist
(precise was needed)
quantal Ignored
(reached end-of-life)
raring Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Does not exist
(trusty was not-affected [1.10.2-1])
upstream
Released (1.10.2-1)
utopic Not vulnerable
(1.10.2-1)
vivid Not vulnerable
(1.10.2-1)
wily Not vulnerable
(1.10.2-1)
xenial Not vulnerable
(1.10.2-1)
yakkety Not vulnerable
(1.10.2-1)
zesty Not vulnerable
(1.10.2-1)
nagios3
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Does not exist
(precise was needed)
quantal Ignored
(reached end-of-life)
raring Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Does not exist
(trusty was released [3.5.1-1ubuntu1.1])
upstream Needs triage

utopic Ignored
(reached end-of-life)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial
Released (3.5.1.dfsg-2.1ubuntu1.1)
yakkety
Released (3.5.1.dfsg-2.1ubuntu3.1)
zesty
Released (3.5.1.dfsg-2.1ubuntu5)
Patches:
upstream: http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
upstream: https://sourceforge.net/p/nagios/nagioscore/ci/0e733d40f8abf09bd0c0e51c2102964fc2331e97/ (3.5)