Arbitrary Command Execution Affecting centreon/centreon package, versions <19.10.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-CENTREONCENTREON-451340
- published 2 Jul 2019
- disclosed 1 Jul 2019
- credit Askar
Introduced: 1 Jul 2019
CVE-2019-13024 Open this link in a new tabHow to fix?
Upgrade centreon/centreon to version 19.10.0 or higher.
Overview
centreon/centreon is a network, system, applicative supervision and monitoring tool.
Affected versions of this package are vulnerable to Arbitrary Command Execution. An attacker can execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert an arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).