CVE-2008-5028
Published: 10 November 2008
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests.
Notes
| Author | Note |
|---|---|
| mdeslaur | Nagios 1.x doesn't have the CMD_CHANGE commands, so remote attackers wouldn't be able to trigger arbitrary programs. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
nagios Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(2:1.3-cvs.20050402-8ubuntu7)
|
| gutsy |
Not vulnerable
(2:1.4-3.1ubuntu1)
|
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
nagios2 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| gutsy |
Ignored
(end of life, was needed)
|
|
| hardy |
Released
(2.11-1ubuntu1.4)
|
|
| intrepid |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
nagios3 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| gutsy |
Does not exist
|
|
| hardy |
Does not exist
|
|
| intrepid |
Released
(3.0.2-1ubuntu1.1)
|
|
| upstream |
Released
(3.0.6)
|
|
|
Patches: upstream: http://git.op5.org/git/?p=nagios.git;a=commitdiff;h=9c2a418ab4f6e4ef3a53ddcde402fe4781caa764 upstream: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&r2=1.110 |
||