Vulnerability Details : CVE-2014-3829
Public exploit exists!
displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) session_id or (2) template_id parameter, related to the command_line variable.
Products affected by CVE-2014-3829
- cpe:2.3:a:merethis:centreon:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:merethis:centreon_enterprise_server:2.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3829
34.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2014-3829
-
Centreon SQL and Command Injection
Disclosure Date: 2014-10-15First seen: 2020-04-26exploit/linux/http/centreon_sqli_execThis module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command injection in the displayServiceStatus.php component, it is possible to execute arbitrary commands
CVSS scores for CVE-2014-3829
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2014-3829
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3829
-
http://www.kb.cert.org/vuls/id/298796
VU#298796 - Centreon contains multiple vulnerabilitiesThird Party Advisory;US Government Resource
-
https://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcde
fix #5895 : security issues · centreon/centreon@cc21098 · GitHub
-
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.html
Centreon 2.5.3 — Centreon 19.10 documentation
-
http://seclists.org/fulldisclosure/2014/Oct/78
Full Disclosure: Multiple unauthenticated SQL injections and unauthenticated remote command injection in Centreon <= 2.5.2 and Centreon Enterprise Server <= 2.2|3.0Exploit
Jump to