CVE-2017-6188

Published: 22 February 2017

Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
munin
Launchpad, Ubuntu, Debian
Upstream
Released (2.0.31)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.0.25-2ubuntu0.16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.0.19-3ubuntu0.2)
Patches:
Upstream: https://github.com/munin-monitoring/munin/commit/42ce18f24d3eae8be33526a198bf21e4f2330230
Upstream: https://github.com/munin-monitoring/munin/commit/549bd25d6a45e153159ef8535fc070a71093a3c9