Your submission was sent successfully! Close

CVE-2017-14312

Published: 11 September 2017

Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account.

Priority

High

CVSS 3 base score: 7.8

Status

Package Release Status
nagios3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)

Notes

AuthorNote
mdeslaur
this issue doesn't apply to the Debian/Ubuntu package. The
binary and config file both have appropriate permissions.

References