製品・ソフトウェアに関する情報

JVN脆弱性詳細

Centreon および Centreon Enterprise Server における SQL インジェクションの脆弱性

Title	Centreon および Centreon Enterprise Server における SQL インジェクションの脆弱性
Summary	Centreon および Centreon Enterprise Server には、SQL インジェクションの脆弱性が存在します。
Possible impacts	第三者により、include/ 内の以下のパラメータを介して、任意の SQL コマンドを実行される可能性があります。 (1) views/graphs/common/makeXML_ListMetrics.php の index_id パラメータ (2) views/graphs/GetXmlTree.php の sid パラメータ (3) views/graphs/graphStatus/displayServiceStatus.php の session_id パラメータ (4) configuration/configObject/traps/GetXMLTrapsForVendor.php の mnftr_id パラメータ (5) common/javascript/commandGetArgs/cmdGetExample.php の index パラメータ
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Oct. 17, 2014, midnight
Registration Date	Oct. 28, 2014, 5:36 p.m.
Last Update	Oct. 28, 2014, 5:36 p.m.

Affected System

Centreon

Centreon 2.5.1

Centreon Enterprise Server 2.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-3828	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3828
National Vulnerability Database (NVD)
2	CVE-2014-3828	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3828

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
Centreon
1	About Centreon	https://www.centreon.com/en/products/centreon/

その他

No	Name	URL
JVN
1	JVNVU#96948961	http://jvn.jp/vu/JVNVU96948961
US-CERT Vulnerability Note
2	VU#298796	http://www.kb.cert.org/vuls/id/298796
関連文書
3	Multiple unauthenticated SQL injections and unauth enticated remote command injection in Centreon <= 2.5.2 and Centreon Enterprise Server <= 2.2\|3.0	http://seclists.org/fulldisclosure/2014/Oct/78

Change Log

No	Changed Details	Date of change
0	[2014年10月28日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-3828

Summary	Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/.
Publication Date	Oct. 23, 2014, 10:55 a.m.
Registration Date	Jan. 26, 2021, 3:11 p.m.
Last Update	Nov. 21, 2024, 11:08 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:merethis:centreon:2.5.1:::::::*
cpe:2.3:a:merethis:centreon_enterprise_server:2.2:::::::*

Related information, measures and tools

No	URL	タグ
1	http://seclists.org/fulldisclosure/2014/Oct/78	Exploit
2	http://seclists.org/fulldisclosure/2014/Oct/78	Exploit
3	http://www.kb.cert.org/vuls/id/298796	Third Party Advisory US Government Resource
4	http://www.kb.cert.org/vuls/id/298796	Third Party Advisory US Government Resource
5	http://www.securityfocus.com/bid/70648	Exploit
6	http://www.securityfocus.com/bid/70648	Exploit
7	https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.html
8	https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.html
9	https://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcde
10	https://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcde

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-89	SQLインジェクション	https://cwe.mitre.org/data/definitions/89.html