Vulnerability Details : CVE-2020-13977
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408.
Vulnerability category: File inclusion
Products affected by CVE-2020-13977
- cpe:2.3:a:nagios:nagios:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-13977
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-13977
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
1.2
|
3.6
|
NIST |
CWE ids for CVE-2020-13977
-
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13977
-
https://www.nagios.org/projects/nagios-core/history/4x/
Nagios Core 4.x Version History - NagiosRelease Notes;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/
[SECURITY] Fedora 33 Update: nagios-4.4.6-3.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H7T6MSDWMBJEVVFSOK7DOYJJWDAFQCEQ/
[SECURITY] Fedora 32 Update: nagios-4.4.6-3.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://anhtai.me/nagios-core-4-4-5-url-injection/
Nagios Core 4.4.5 – URL Injection (CVE-2020-13977)Exploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5P6NHNG2SJAM6DXVTXQH3AOJ4WQVKJUE/
[SECURITY] Fedora 34 Update: nagios-4.4.6-4.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/sawolf/nagioscore/tree/url-injection-fix
GitHub - sawolf/nagioscore at url-injection-fixProduct;Third Party Advisory
Jump to