CVE-2020-13977
Published: 9 June 2020
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408.
Priority
Status
Package | Release | Status |
---|---|---|
nagios4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Ignored
(end of life)
|
|
focal |
Needs triage
|
|
groovy |
Not vulnerable
(4.3.4-4)
|
|
hirsute |
Not vulnerable
(4.3.4-4)
|
|
impish |
Not vulnerable
(4.3.4-4)
|
|
jammy |
Not vulnerable
(4.3.4-4)
|
|
kinetic |
Not vulnerable
(4.3.4-4)
|
|
lunar |
Not vulnerable
(4.3.4-4)
|
|
mantic |
Not vulnerable
(4.3.4-4)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.9 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | High |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |