CVE-2020-13252 Information

Description

Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://engindemirbilek.github.io/centreon-19.10-rce https://github.com/centreon/centreon/compare/19.04.13…19.04.15 https://github.com/centreon/centreon/pull/8467 https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/centreon-19.10-rce.html

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8