A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php.
References
| Link | Resource |
|---|---|
| https://github.com/centreon/centreon/pull/9796 | Patch Third Party Advisory |
| https://www.synacktiv.com/sites/default/files/2021-07/Centreon_Multiple_vulnerabilities_0.pdf | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
10 Aug 2021, 21:35
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:centreon:centreon:*:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
| References | (MISC) https://github.com/centreon/centreon/pull/9796 - Patch, Third Party Advisory | |
| References | (MISC) https://www.synacktiv.com/sites/default/files/2021-07/Centreon_Multiple_vulnerabilities_0.pdf - Exploit, Third Party Advisory | |
| CWE | CWE-89 |
03 Aug 2021, 17:20
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2021-08-03 16:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-37558
Mitre link : CVE-2021-37558
CVE.ORG link : CVE-2021-37558
JSON object : View
Products Affected
centreon
- centreon
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')