Vulnerability Details CVE-2020-13252
Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.276
EPSS Ranking 96.2%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 9.0
References
- https://engindemirbilek.github.io/centreon-19.10-rce
- https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/centreon-19.10-rce.html
- https://github.com/centreon/centreon/compare/19.04.13...19.04.15
- https://github.com/centreon/centreon/pull/8467
- https://engindemirbilek.github.io/centreon-19.10-rce
- https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/centreon-19.10-rce.html
- https://github.com/centreon/centreon/compare/19.04.13...19.04.15
- https://github.com/centreon/centreon/pull/8467
Products affected by CVE-2020-13252
-
cpe:2.3:a:centreon:centreon:19.04.0
-
cpe:2.3:a:centreon:centreon:19.04.1
-
cpe:2.3:a:centreon:centreon:19.04.10
-
cpe:2.3:a:centreon:centreon:19.04.11
-
cpe:2.3:a:centreon:centreon:19.04.12
-
cpe:2.3:a:centreon:centreon:19.04.13
-
cpe:2.3:a:centreon:centreon:19.04.2
-
cpe:2.3:a:centreon:centreon:19.04.3
-
cpe:2.3:a:centreon:centreon:19.04.4
-
cpe:2.3:a:centreon:centreon:19.04.5
-
cpe:2.3:a:centreon:centreon:19.04.6
-
cpe:2.3:a:centreon:centreon:19.04.7
-
cpe:2.3:a:centreon:centreon:19.04.8
-
cpe:2.3:a:centreon:centreon:19.04.9