727662 – (CVE-2020-13977) <net-analyzer/nagios-4.4.6: URL injection (post-authentication) vulnerability (CVE-2020-13977)

Bug 727662 (CVE-2020-13977) - <net-analyzer/nagios-4.4.6: URL injection (post-authentication) vulnerability (CVE-2020-13977)

Summary: <net-analyzer/nagios-4.4.6: URL injection (post-authentication) vulnerability...

Status:	RESOLVED FIXED

Alias:	CVE-2020-13977

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-06-09 13:58 UTC by Sam James
Modified:	2020-06-18 03:19 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=net-analyzer/nagios-4.4.6 =net-analyzer/nagios-core-4.4.6
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-06-09 13:58:00 UTC

Description:
"Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files."

Comment 1 Sam James archtester

2020-06-09 13:58:45 UTC

@maintainer(s), please bump to 4.4.6.

Comment 2 Michael Orlitzky gentoo-dev

2020-06-09 19:33:31 UTC

Already added a month ago, feel free to stabilize.

Comment 3 Sam James archtester

2020-06-09 19:43:36 UTC

(In reply to Michael Orlitzky from comment #2)
> Already added a month ago, feel free to stabilize.

Thank you! Sorry, not sure how I missed it earlier.

Comment 4 NATTkA bot gentoo-dev

2020-06-09 19:44:38 UTC

Sanity check failed:

> net-analyzer/nagios-4.4.6
>   rdepend amd64 stable profile default/linux/amd64/17.0 (66 total)
>     ~net-analyzer/nagios-core-4.4.6
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total)
>     ~net-analyzer/nagios-core-4.4.6

Comment 5 Agostino Sarubbo gentoo-dev

2020-06-10 13:02:20 UTC

sparc stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-06-11 08:27:04 UTC

amd64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-06-11 08:30:30 UTC

ppc stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-06-11 08:32:40 UTC

ppc64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-06-11 08:35:51 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 10 Larry the Git Cow gentoo-dev

2020-06-11 12:34:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40f9c50e93d99e5afbddadfa6373e5637ff5a6e3

commit 40f9c50e93d99e5afbddadfa6373e5637ff5a6e3
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-11 12:29:42 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-11 12:31:50 +0000

    net-analyzer/nagios-core: remove old version subject to CVE-2020-13977.
    
    Bug: https://bugs.gentoo.org/727662
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 net-analyzer/nagios-core/Manifest                  |   1 -
 .../nagios-core/nagios-core-4.4.5-r6.ebuild        | 242 ---------------------
 2 files changed, 243 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01331133cc7b2bf1a859749a8e3d9902ac46be4c

commit 01331133cc7b2bf1a859749a8e3d9902ac46be4c
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-11 12:28:24 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-11 12:31:50 +0000

    net-analyzer/nagios: remove old version vulnerable to CVE-2020-13977.
    
    Bug: https://bugs.gentoo.org/727662
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 net-analyzer/nagios/nagios-4.4.5.ebuild | 15 ---------------
 1 file changed, 15 deletions(-)