Published: 10/02/2014 Updated: 07/11/2023

CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8

VMScore: 356

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

status.cgi in Nagios 4.0 prior to 4.0 beta4 and 3.x prior to 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2) summary, or (3) grid style in status.cgi. NOTE: this behavior is by design in most 3.x versions, but the upstream vendor "decided to change it for Nagios 4" and 3.5.1.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nagios nagios 3.0
nagios nagios 3.1.2
nagios nagios 3.5.0
nagios nagios 3.2.2
nagios nagios 3.2.0
nagios nagios 3.1.1
nagios nagios 3.0.6
nagios nagios 3.0.1
nagios nagios 3.4.4
nagios nagios 3.4.1
nagios nagios 3.0.2
nagios nagios 3.1.0
nagios nagios 4.0.0
nagios nagios 3.4.2
nagios nagios 3.4.3
nagios nagios 3.0.4
nagios nagios 3.2.1
nagios nagios 3.0.3
nagios nagios 3.2.3
nagios nagios 3.3.1
nagios nagios 3.0.5
nagios nagios 3.4.0

statuscgi in Nagios 40 before 40 beta4 and 3x before 351 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2) summary, or (3) grid style in statuscgi NOTE: this behavior is by design ...

CWE-264 http://tracker.nagios.org/view.php?id=456 http://lists.opensuse.org/opensuse-updates/2013-07/msg00031.html http://seclists.org/oss-sec/2013/q2/619 http://seclists.org/oss-sec/2013/q2/622 http://lists.opensuse.org/opensuse-updates/2013-07/msg00029.html https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2013-2214

CVE-2013-2214

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect