CVE-2015-1561
HIGH8.5EPSS 5.2%Centreon Command Injection
發布日:2022/5/14修改日:2024/2/16
描述
The `escape_command` function in `include/Administration/corePerformance/getStats.php` in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (offending file deleted in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the `ns_id` parameter.
受影響套件(1)
- Packagist/centreon/centreonfrom 0, < 2.8.28
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1561
- PATCHhttps://github.com/centreon/centreon-archived
- WEBhttp://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html
- WEBhttps://forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb
- WEBhttps://github.com/centreon/centreon-archived/commit/387dffdd051dbc7a234e1138a9d06f3089bb55bb
- WEBhttps://github.com/centreon/centreon-archived/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a
- WEBhttps://github.com/centreon/centreon-archived/pull/7083
- WEBhttps://github.com/centreon/centreon-archived/pull/7271
- WEBhttps://web.archive.org/web/20201125112637/http://www.securityfocus.com/archive/1/535961/100/0/threaded