Vulnerability Note VU#298796
Centreon contains multiple vulnerabilities
Original Release date: 17 Oct 2014 | Last revised: 17 Oct 2014
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 contain multiple vulnerabilities.
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) – CVE-2014-3829
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to command injection due to unsafe handling of session_id and template_id variables in displayServiceStatus.php and insufficient filtering on the command_line variable. The underlying operating system is then able to interpolate special characters, allowing for arbitrary commands to be injected.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – CVE-2014-3828
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to SQL injection in the following php components:
Rapid7 reports that prior versions back to 2.0 may be affected. See the Rapid7 advisory for more details.
A remote unauthenticated attacker may be able to execute arbitrary OS and SQL commands.
The CERT/CC is currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedCentreonAffected05 Sep 201415 Oct 2014If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability and MaZ for the original vulnerability discovery.
This document was written by Chris King.
15 Oct 2014
Date First Published:
17 Oct 2014
Date Last Updated:
17 Oct 2014
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.