Vulnerability CVE-2013-7107

Vulnerability Name:

CVE-2013-7107 (CCN-89800)

Assigned:

2013-12-16

Published:

2013-12-16

Updated:

2014-03-06

Summary:

Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via unspecified vectors, as demonstrated by bypassing authentication requirements for CVE-2013-7106.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-352

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2013-7107

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:0269

Source: CCN
Type: oss-sec Mailing List, Mon, 16 Dec 2013 21:22:40 +0100
Fwd: Vulnerability (Buffer Overflow) in Icinga 1.8, 1.9 and 1.10 (Icinga Issue #5250) Vulnerability (Off-by-one memory access) in Icinga 1.8, 1.9 and 1.10 (Icinga Issue #5251)

Source: CCN
Type: SA55990
Icinga Cross-Site Request Forgery Vulnerability

Source: CCN
Type: Icinga Web site
Home - Icinga: Open Source Monitoring

Source: MLIST
Type: UNKNOWN
[oss-security] 20131216 Fwd: Vulnerability (Buffer Overflow) in Icinga 1.8, 1.9 and 1.10 (Icinga Issue #5250) Vulnerability (Off-by-one memory access) in Icinga 1.8, 1.9 and 1.10 (Icinga Issue #5251)

Source: CCN
Type: OSVDB ID: 101021
Icinga Web Interface Multiple Admin Function CSRF

Source: CCN
Type: BID-64370
Icinga CVE-2013-7107 Cross Site Request Forgery Vulnerability

Source: MISC
Type: Vendor Advisory
https://dev.icinga.org/issues/5250

Source: CONFIRM
Type: Vendor Advisory
https://dev.icinga.org/issues/5346

Source: XF
Type: UNKNOWN
icinga-cve20137107-csrf(89800)

Source: CONFIRM
Type: Vendor Advisory
https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-7107

Vulnerable Configuration:

Configuration 1:

cpe:/a:icinga:icinga:0.8.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:0.8.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:0.8.2:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:0.8.3:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:0.8.4:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0:rc1:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.2.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.3.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.3.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.4.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.6.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.6.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.6.2:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.7.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.7.2:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.7.3:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.7.4:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.8.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.8.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.8.2:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.8.3:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.8.4:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.8.5:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.9.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.9.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.9.2:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.9.3:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.9.4:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.10.0:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.10.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:*:*:*:*:*:*:*:* (Version <= 1.10.2)

Configuration CCN 1:

cpe:/a:icinga:icinga:1.8.4:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.10.1:*:*:*:*:*:*:*

OR cpe:/a:icinga:icinga:1.9.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20137107	V	CVE-2013-7107	2022-06-30
oval:org.opensuse.security:def:112426	P	icinga-1.13.3-2.4 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105932	P	icinga-1.13.3-2.4 on GA media (Moderate)	2021-10-01
oval:org.mitre.oval:def:24722	P	DSA-2956-1 icinga - security update	2014-08-11
oval:com.ubuntu.precise:def:20137107000	V	CVE-2013-7107 on Ubuntu 12.04 LTS (precise) - low.	2014-01-15

BACK