CVE-2019-17646 : An issue was discovered in Centreon before 18.10.8, 19.04.5, and 19.10.2. It pro

An issue was discovered in Centreon before 18.10.8, 19.04.5, and 19.10.2. It provides sensitive information via an unauthenticated direct request for api/external.php?object=centreon_metric&action=listByService.

Published 2020-03-05 20:15:12

Updated 2021-07-21 11:39:24

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2019-17646

Centreon » Centreon
Versions from including (>=) 18.0.0 and before (<) 18.10.8
cpe:2.3:a:centreon:centreon:*:*:*:*:*:*:*:*
Matching versions
Centreon » Centreon
Versions from including (>=) 19.10.0 and before (<) 19.10.2
cpe:2.3:a:centreon:centreon:*:*:*:*:*:*:*:*
Matching versions
Centreon » Centreon
Versions from including (>=) 19.04.0 and before (<) 19.04.5
cpe:2.3:a:centreon:centreon:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-17646

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 62 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-17646

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2019-17646

CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-17646

https://github.com/centreon/centreon/pull/8021

fix(acl): filter access to api using external entry point by kduret · Pull Request #8021 · centreon/centreon · GitHub
Patch;Third Party Advisory
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10.html#centreon-web-18-10-8

Centreon Web 18.10.12 — Centreon 19.10 documentation
Release Notes;Vendor Advisory

CVEs referencing this url
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.html#centreon-web-19-10-2

Centreon Web 19.10.8 — Centreon 19.10 documentation
Release Notes;Vendor Advisory

CVEs referencing this url
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10/index.html

Centreon 19.10 — Centreon 19.10 documentation
Release Notes;Vendor Advisory

CVEs referencing this url
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html#centreon-web-19-04-5

Centreon Web 19.04.11 — Centreon 19.10 documentation
Release Notes;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-17646

Products affected by CVE-2019-17646

Exploit prediction scoring system (EPSS) score for CVE-2019-17646

CVSS scores for CVE-2019-17646

CWE ids for CVE-2019-17646

References for CVE-2019-17646