Bug 470840 - (CVE-2008-5027) CVE-2008-5027 nagios: authorization bypass via custom form or browser addon
CVE-2008-5027 nagios: authorization bypass via custom form or browser addon
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
public=20081106,reported=20081106,sou...
: Security
Depends On: 469974 471019
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-10 11:08 EST by Tomas Hoger
Modified: 2012-03-27 04:44 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-27 04:44:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Ubuntu patch to fix CVE-2008-5027 (2.13 KB, patch)
2009-03-23 17:42 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-11-10 11:08:54 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5027 to the following vulnerability:

The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor
before 4.0.1 allows remote authenticated users to bypass authorization
checks, and trigger execution of arbitrary programs by this process,
via an (a) custom form or a (b) browser addon.

References:
http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-devel
http://www.openwall.com/lists/oss-security/2008/11/06/2
http://www.nagios.org/development/history/nagios-3x.php
http://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitor
http://www.securityfocus.com/bid/32156
Comment 3 Fedora Update System 2008-11-26 01:19:37 EST
nagios-3.0.5-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Vincent Danen 2009-03-23 17:42:14 EDT
Created attachment 336393 [details]
Ubuntu patch to fix CVE-2008-5027

Ubuntu has released an update to Nagios 2.11 and I am attaching the two patches used to fix this issue.

http://www.ubuntu.com/usn/USN-698-3

Note You need to log in before you can comment on or make changes to this bug.