Vulnerability Name:
CVE-2009-2288 (CCN-51309)
Assigned:
2009-06-22
Published:
2009-06-22
Updated:
2010-04-03
Summary:
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.
CVSS v3 Severity:
7.3 High
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
Low
Integrity (I):
Low
Availibility (A):
Low
CVSS v2 Severity:
7.5 High
(CVSS v2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
)
6.5 Medium
(Temporal CVSS v2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
Partial
Integrity (I):
Partial
Availibility (A):
Partial
7.5 High
(CCN CVSS v2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
)
6.5 Medium
(CCN Temporal CVSS v2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Athentication (Au):
None
Impact Metrics:
Confidentiality (C):
Partial
Integrity (I):
Partial
Availibility (A):
Partial
Vulnerability Type:
CWE-78
Vulnerability Consequences:
Gain Access
References:
Source: MITRE
Type: CNA
CVE-2009-2288
Source: CCN
Type: HP Security Bulletin HPSBMA02513 SSRT090110
Insight Control for Linux (IC-Linux) Remote Execution of Arbitrary Code, Local Unauthorized Elevation of Privilege
Source: HP
Type: UNKNOWN
SSRT090110
Source: CCN
Type: SA35543
Nagios "statuswml.cgi" Command Injection Vulnerability
Source: SECUNIA
Type: Vendor Advisory
35543
Source: SECUNIA
Type: UNKNOWN
35688
Source: SECUNIA
Type: UNKNOWN
35692
Source: CCN
Type: SA39227
HP Insight Control Suite For Linux Two Vulnerabilities
Source: SECUNIA
Type: UNKNOWN
39227
Source: GENTOO
Type: UNKNOWN
GLSA-200907-15
Source: CCN
Type: SECTRACK ID: 1022503
Nagios Input Validation Flaw in 'statuswml.cgi' Lets Remote Users Execute Arbitrary Commands
Source: CONFIRM
Type: Exploit
http://tracker.nagios.org/view.php?id=15
Source: DEBIAN
Type: UNKNOWN
DSA-1825
Source: DEBIAN
Type: DSA-1825
nagios3 -- insufficient input validation
Source: CCN
Type: GLSA-200907-15
Nagios: Execution of arbitrary code
Source: CCN
Type: Nagios Web site
Nagios 3 Version History, 3.1.1 - 06/22/2009
Source: CONFIRM
Type: UNKNOWN
http://www.nagios.org/development/history/core-3x/
Source: CCN
Type: OSVDB ID: 55281
Nagios statuswml.cgi Multiple Parameter Arbitrary Remote Shell Command Execution
Source: CCN
Type: BID-35464
Nagios 'statuswml.cgi' Remote Arbitrary Shell Command Injection Vulnerability
Source: CCN
Type: BID-39052
HP Insight Control for Linux Unspecified Local Privilege Escalation Vulnerability
Source: SECTRACK
Type: UNKNOWN
1022503
Source: CCN
Type: USN-795-1
Nagios vulnerability
Source: UBUNTU
Type: UNKNOWN
USN-795-1
Source: VUPEN
Type: UNKNOWN
ADV-2010-0750
Source: XF
Type: UNKNOWN
nagios-statuswml-command-execution(51309)
Source: SUSE
Type: SUSE-SR:2009:013
SUSE Security Summary Report
Vulnerable Configuration:
Configuration 1
:
cpe:/a:nagios:nagios:1.0:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.0b1:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.0b2:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.0b4:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.1:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.4.1:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.0:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.0b4:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.7:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.10:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:alpha1:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:alpha2:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:alpha3:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:alpha4:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta1:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta2:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta3:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta4:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta5:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta6:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta7:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:rc1:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:rc2:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:rc3:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.1:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.2:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.3:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.4:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.5:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.6:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:*:*:*:*:*:*:*:*
(Version <= 3.1.0)
Configuration CCN 1
:
cpe:/a:nagios:nagios:2.11:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.10:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.4:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.3:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.2:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.1:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:rc3:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:rc2:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:rc1:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.5:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.7:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.8:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.9:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0.6:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.0:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.0b1:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.0b2:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.0b4:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.1:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:1.4.1:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.0:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:2.0b4:*:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta1:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:alpha1:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:alpha2:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:alpha3:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:alpha4:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta2:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta3:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta4:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta5:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta6:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.0:beta7:*:*:*:*:*:*
OR
cpe:/a:nagios:nagios:3.1.0:*:*:*:*:*:*:*
AND
cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
OR
cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
OR
cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*
OR
cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*
OR
cpe:/o:mandriva:enterprise_server:5:*:*:*:*:*:*:*
OR
cpe:/o:mandriva:enterprise_server:5:*:*:*:x86_64:*:*:*
Denotes that component is vulnerable
Oval Definitions
Definition ID
Class
Title
Last Modified
oval:org.opensuse.security:def:20092288
V
CVE-2009-2288
2022-05-20
oval:org.opensuse.security:def:29451
P
Security update for java-1_7_0-openjdk (Important)
2021-11-24
oval:org.opensuse.security:def:32223
P
Security update for postgresql, postgresql13, postgresql14 (Important)
2021-11-20
oval:org.opensuse.security:def:29415
P
Security update for bind (Moderate)
2021-08-30
oval:org.opensuse.security:def:32089
P
Security update for samba (Important)
2021-05-04
oval:org.opensuse.security:def:32015
P
Security update for openssl (Important)
2020-12-11
oval:org.opensuse.security:def:32004
P
Security update for postgresql12 (Important)
2020-12-04
oval:org.opensuse.security:def:32003
P
Security update for python-cryptography (Moderate)
2020-12-04
oval:org.opensuse.security:def:28576
P
Security update for libotr
2020-12-01
oval:org.opensuse.security:def:27994
P
Security update for MozillaFirefox (Important)
2020-12-01
oval:org.opensuse.security:def:32826
P
ant on GA media (Moderate)
2020-12-01
oval:org.opensuse.security:def:28678
P
Security update for MozillaFirefox, mozilla-nss (Important)
2020-12-01
oval:org.opensuse.security:def:32373
P
Security update for tcpdump (Important)
2020-12-01
oval:org.opensuse.security:def:28069
P
Security update for MozillaFirefox, mozilla-nss (Important)
2020-12-01
oval:org.opensuse.security:def:33503
P
Security update for nagios
2020-12-01
oval:org.opensuse.security:def:28733
P
Security update for kvm (Important)
2020-12-01
oval:org.opensuse.security:def:32616
P
xen on GA media (Moderate)
2020-12-01
oval:org.opensuse.security:def:28283
P
Security update for mysql (Important)
2020-12-01
oval:org.opensuse.security:def:32721
P
libnewt0_52 on GA media (Moderate)
2020-12-01
oval:org.opensuse.security:def:28424
P
Security update for wireshark (Low)
2020-12-01
oval:org.opensuse.security:def:27993
P
Security update for MozillaFirefox (Moderate)
2020-12-01
oval:org.opensuse.security:def:32782
P
rsync on GA media (Moderate)
2020-12-01
oval:org.opensuse.security:def:28629
P
Security update for Mozilla Firefox
2020-12-01
oval:org.opensuse.security:def:32316
P
Security update for rsync (Moderate)
2020-12-01
oval:org.opensuse.security:def:28005
P
Security update for ant (Moderate)
2020-12-01
oval:org.opensuse.security:def:33464
P
Security update for kdm
2020-12-01
oval:org.opensuse.security:def:28717
P
Security update for kdebase4-workspace
2020-12-01
oval:org.opensuse.security:def:32460
P
Security update for xorg-x11-libX11 (Important)
2020-12-01
oval:org.opensuse.security:def:28199
P
Security update for libgcrypt (Moderate)
2020-12-01
oval:org.opensuse.security:def:28777
P
Security update for openwsman
2020-12-01
oval:org.opensuse.security:def:32672
P
glib2 on GA media (Moderate)
2020-12-01
oval:org.opensuse.security:def:28340
P
Security update for php53 (Important)
2020-12-01
oval:org.opensuse.security:def:32760
P
opie on GA media (Moderate)
2020-12-01
oval:org.mitre.oval:def:13626
P
USN-795-1 -- nagios2, nagios3 vulnerability
2014-06-30
oval:org.mitre.oval:def:8200
P
DSA-1825 nagios2, nagios3 -- insufficient input validation
2014-06-23
oval:org.mitre.oval:def:13385
P
DSA-1825-1 nagios2, nagios3 -- insufficient input validation
2014-06-23
oval:org.debian:def:1825
V
insufficient input validation
2009-07-03
BACK
nagios
nagios 1.0
nagios
nagios 1.0b1
nagios
nagios 1.0b2
nagios
nagios 1.0b4
nagios
nagios 1.1
nagios
nagios 1.4.1
nagios
nagios 2.0
nagios
nagios 2.0b4
nagios
nagios 2.7
nagios
nagios 2.10
nagios
nagios 3.0
nagios
nagios 3.0 alpha1
nagios
nagios 3.0 alpha2
nagios
nagios 3.0 alpha3
nagios
nagios 3.0 alpha4
nagios
nagios 3.0 beta1
nagios
nagios 3.0 beta2
nagios
nagios 3.0 beta3
nagios
nagios 3.0 beta4
nagios
nagios 3.0 beta5
nagios
nagios 3.0 beta6
nagios
nagios 3.0 beta7
nagios
nagios 3.0 rc1
nagios
nagios 3.0 rc2
nagios
nagios 3.0 rc3
nagios
nagios 3.0.1
nagios
nagios 3.0.2
nagios
nagios 3.0.3
nagios
nagios 3.0.4
nagios
nagios 3.0.5
nagios
nagios 3.0.6
nagios
nagios *
nagios
nagios 2.11
nagios
nagios 2.10
nagios
nagios 3.0.4
nagios
nagios 3.0.3
nagios
nagios 3.0.2
nagios
nagios 3.0.1
nagios
nagios 3.0
nagios
nagios 3.0 rc3
nagios
nagios 3.0 rc2
nagios
nagios 3.0 rc1
nagios
nagios 3.0.5
nagios
nagios 2.7
nagios
nagios 2.8
nagios
nagios 2.9
nagios
nagios 3.0.6
nagios
nagios 1.0
nagios
nagios 1.0b1
nagios
nagios 1.0b2
nagios
nagios 1.0b4
nagios
nagios 1.1
nagios
nagios 1.4.1
nagios
nagios 2.0
nagios
nagios 2.0b4
nagios
nagios 3.0 beta1
nagios
nagios 3.0 alpha1
nagios
nagios 3.0 alpha2
nagios
nagios 3.0 alpha3
nagios
nagios 3.0 alpha4
nagios
nagios 3.0 beta2
nagios
nagios 3.0 beta3
nagios
nagios 3.0 beta4
nagios
nagios 3.0 beta5
nagios
nagios 3.0 beta6
nagios
nagios 3.0 beta7
nagios
nagios 3.1.0
gentoo
linux *
mandrakesoft
mandrake linux 2006
mandrakesoft
mandrake linux corporate server 4.0
mandrakesoft
mandrake linux corporate server 4.0
debian
debian linux 4.0
canonical
ubuntu 8.04
debian
debian linux 5.0
mandriva
enterprise server 5
mandriva
enterprise server 5
Denotes that component is vulnerable