LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. In affected versions of LibreNMS when a user accesses their device dashboard, one request is sent to `graph.php` to access graphs generated on the particular Device. This request can be accessed by a low privilege user and they can enumerate devices on librenms with their id or hostname. Leveraging this vulnerability a low privilege user can see all devices registered by admin users. This vulnerability has been addressed in commit `489978a923` which has been included in release version 23.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Configurations
History
29 Nov 2023, 20:53
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
| First Time |
Librenms librenms
Librenms |
|
| CPE | cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:* | |
| CWE | NVD-CWE-noinfo | |
| References | () https://github.com/librenms/librenms/blob/fa93034edd40c130c2ff00667ca2498d84be6e69/html/graph.php#L19C1-L25C2 - Product | |
| References | () https://github.com/librenms/librenms/security/advisories/GHSA-fpq5-4vwm-78x4 - Exploit, Vendor Advisory | |
| References | () https://github.com/librenms/librenms/commit/489978a923ed52aa243d3419889ca298a8a6a7cf - Patch |
17 Nov 2023, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-11-17 22:15
Updated : 2023-12-10 15:26
NVD link : CVE-2023-48294
Mitre link : CVE-2023-48294
CVE.ORG link : CVE-2023-48294
JSON object : View
Products Affected
librenms
- librenms
CWE