Vulnerabilities > Icinga

DATE CVE VULNERABILITY TITLE RISK
2018-02-27 CVE-2018-6534 NULL Pointer Dereference vulnerability in Icinga
An issue was discovered in Icinga 2.x through 2.8.1.
network
icinga CWE-476
4.3
2018-02-27 CVE-2018-6533 Unspecified vulnerability in Icinga
An issue was discovered in Icinga 2.x through 2.8.1.
local
low complexity
icinga
7.2
2018-02-27 CVE-2018-6532 Resource Exhaustion vulnerability in Icinga
An issue was discovered in Icinga 2.x through 2.8.1.
network
low complexity
icinga CWE-400
5.0
2018-02-02 CVE-2018-6536 Incorrect Permission Assignment for Critical Resource vulnerability in Icinga
An issue was discovered in Icinga 2.x through 2.8.1.
local
low complexity
icinga CWE-732
4.9
2017-11-24 CVE-2017-16933 Incorrect Permission Assignment for Critical Resource vulnerability in Icinga
etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_USER account for creation of a link.
local
icinga CWE-732
6.9
2017-11-18 CVE-2017-16882 Incorrect Permission Assignment for Critical Resource vulnerability in Icinga
Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account, a related issue to CVE-2017-14312.
local
low complexity
icinga CWE-732
4.6
2017-03-27 CVE-2015-8010 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi.
4.3
2014-02-28 CVE-2014-1878 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products
Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi.
network
low complexity
icinga nagios CWE-119
5.0
2014-01-15 CVE-2013-7108 Improper Input Validation vulnerability in multiple products
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.
network
low complexity
nagios icinga CWE-20
5.5
2014-01-15 CVE-2013-7107 Cross-Site Request Forgery (CSRF) vulnerability in Icinga
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via unspecified vectors, as demonstrated by bypassing authentication requirements for CVE-2013-7106.
network
icinga CWE-352
6.8