The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Nagios Open Source

computer weakness bulletin CVE-2017-14312

Nagios: privilege escalation via nagios.cfg

Synthesis of the vulnerability

An attacker can bypass restrictions via nagios.cfg of Nagios, in order to escalate his privileges.
Severity: 2/4.
Creation date: 12/09/2017.
Identifiers: CVE-2017-14312, FEDORA-2017-9d345f250a, FEDORA-2017-d270e932a3, VIGILANCE-VUL-23809.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass restrictions via nagios.cfg of Nagios, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

security alert CVE-2017-12847

Nagios: denial of service via nagios.lock PID File

Synthesis of the vulnerability

An attacker can generate a fatal error via nagios.lock PID File of Nagios, in order to trigger a denial of service.
Severity: 1/4.
Creation date: 24/08/2017.
Identifiers: CVE-2017-12847, VIGILANCE-VUL-23605.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate a fatal error via nagios.lock PID File of Nagios, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-6209

Nagios: Cross Site Scripting via corewindow

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via corewindow of Nagios, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 03/04/2017.
Identifiers: CVE-2016-6209, VIGILANCE-VUL-22311.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Nagios product offers a web service.

However, it does not filter received data via corewindow before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via corewindow of Nagios, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

cybersecurity vulnerability CVE-2016-10089

Nagios: privilege escalation via /etc/init.d/nagios

Synthesis of the vulnerability

A local attacker with privileges of the nagios user, can create a hard link, to force /etc/init.d/nagios of Nagios to change the owner of a file belonging to root.
Severity: 1/4.
Creation date: 02/01/2017.
Identifiers: CVE-2016-10089, openSUSE-SU-2018:3258-1, SUSE-SU-2018:3240-1, VIGILANCE-VUL-21495.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A local attacker with privileges of the nagios user, can create a hard link, to force /etc/init.d/nagios of Nagios to change the owner of a file belonging to root.
Full Vigil@nce bulletin... (Free trial)

threat CVE-2016-9566

Nagios: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Nagios, in order to escalate his privileges.
Severity: 2/4.
Creation date: 08/12/2016.
Revision date: 16/12/2016.
Identifiers: CERTFR-2016-AVI-399, CVE-2016-9566, DLA-1615-1, DLA-751-1, openSUSE-SU-2017:0146-1, USN-3253-1, USN-3253-2, VIGILANCE-VUL-21328.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass restrictions of Nagios, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-9565

Nagios Open Source: code execution via the RSS interface

Synthesis of the vulnerability

An attacker can use a vulnerability via a PHP class implementing RSS in Nagios Open Source, in order to run code.
Severity: 2/4.
Creation date: 15/12/2016.
Identifiers: CVE-2016-9565, DLA-751-1, VIGILANCE-VUL-21395.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability via a PHP class implementing RSS in Nagios Open Source, in order to run code. The problem comes from a wrong fix for VIGILANCE-VUL-12742, corresponding to VIGILANCE-VUL-16794.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-8641

Nagios: privilege escalation via /etc/init.d/nagios

Synthesis of the vulnerability

A local attacker can create a file for the startup script /etc/init.d/nagios of Nagios, in order to escalate his privileges.
Severity: 2/4.
Creation date: 22/11/2016.
Identifiers: CERTFR-2016-AVI-386, CVE-2016-8641, openSUSE-SU-2018:3258-1, SUSE-SU-2018:3240-1, VIGILANCE-VUL-21190.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A local attacker can create a file for the startup script /etc/init.d/nagios of Nagios, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 20291

Nagios: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Nagios, in order to force the victim to perform operations.
Severity: 2/4.
Creation date: 02/08/2016.
Identifiers: CERTFR-2016-AVI-256, VIGILANCE-VUL-20291.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Nagios product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Nagios, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2014-4703

Nagios Plugins: information disclosure via check_dhcp

Synthesis of the vulnerability

An attacker can use check_dhcp of Nagios Plugins, to read a file with INI format, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 30/06/2014.
Identifiers: CVE-2014-4703, FEDORA-2015-12972, FEDORA-2015-12987, VIGILANCE-VUL-14952.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The check_dhcp script of Nagios Plugins checks the availability of DHCP servers. This script is installed suid root:

The "--extra-opts" option is used to read a file in format INI :
  [section]
  var=val

The check_dhcp reads these files with root privileges. In order to protect against VIGILANCE-VUL-14761, the script checks if the user is allowed to read the file. However, a local attacker can create a symbolic link during the check, and then point to the file before its opening.

An attacker can therefore use check_dhcp of Nagios Plugins, to read a file with INI format, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2014-4702

Nagios Plugins: information disclosure via check_icmp

Synthesis of the vulnerability

An attacker can use check_icmp of Nagios Plugins, to read a file with INI format, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 21/05/2014.
Identifiers: CVE-2014-4702, FEDORA-2015-12972, FEDORA-2015-12987, VIGILANCE-VUL-14776.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The check_icmp script of Nagios Plugins is installed suid root:

The "--extra-opts" option is used to read a file in format INI :
  [section]
  var=val

However, check_icmp reads these files with root privileges.

An attacker can therefore use check_icmp of Nagios Plugins, to read a file with INI format, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Nagios Open Source: