Bug 1728580 (CVE-2018-17148)

Summary: CVE-2018-17148 Nagios XI: insufficient access control vulnerability in coreconfigsnapshot.php
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: affix, athmanem, b.heden, herrold, jose.p.oliveira.oss, lemenkov, redhat, shawn.starr, sisharma, smooge, ssaha, s, swilkerson, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Nagios XI 5.5.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-11 19:03:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1728581, 1728582    
Bug Blocks: 1728577    

Description Dhananjay Arunesh 2019-07-10 07:51:51 UTC 
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.

Reference:
https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT
Comment 1 Dhananjay Arunesh 2019-07-10 07:52:34 UTC 
Created nagios tracking bugs for this issue:

Affects: epel-all [bug 1728582]
Affects: fedora-all [bug 1728581]
Comment 2 Scott Wilkerson 2019-07-11 19:03:51 UTC 
This was for Nagios XI not nagios core.

Nagios XI is not distributed via epel, fedora or anything you have created all these bug for.
Comment 3 Hardik Vyas 2019-07-12 07:24:56 UTC 
Latest upstream release shipped for Nagios core is 4.4.3(and the flaw says fixed in 5.5.4 i.e for Nagios XI), XI[1] seems to be a commercial thing with is not included in any Red Hat offerings.

Closing out fedora and epel trackers as NOTABUG.

[1] https://www.nagios.com/products/nagios-xi/
Comment 4 Hardik Vyas 2019-07-12 07:24:59 UTC 
Statement:

This issue did not affect Red Hat Gluster Storage 3 as it does not ship Nagios XI.