CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 3CVE-2018-13441 – Nagios Core 4.4.1 - Denial of Service
https://notcve.org/view.php?id=CVE-2018-13441
12 Jul 2018 — qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket. qh_help en Nagios Core en versiones 4.4.1 y anteriores es propenso a una vulnerabilidad de desreferencia de puntero NULL que permite que un atacante provoque una condición de denegación de servicio (DoS) local mediante el envío de una carga útil manipulada al socket UNIX en escucha.... • https://packetstorm.news/files/id/148681 • CWE-476: NULL Pointer Dereference •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12847 – Gentoo Linux Security Advisory 201710-20
https://notcve.org/view.php?id=CVE-2017-12847
23 Aug 2017 — Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat /pathname/nagios.lock`" command. Nagios Core en versiones anteriores a la 4.3.3 crea un archivo nagios.lock PID tras eliminar privilegios a una cuenta no-root, lo que podría permitir que usuarios locales terminen procesos arbitrari... • http://www.securityfocus.com/bid/100403 • CWE-665: Improper Initialization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10089
https://notcve.org/view.php?id=CVE-2016-10089
15 Feb 2017 — Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641. Nagios 4.3.2 y anteriores permite a los usuarios locales obtener privilegios root mediante un ataque de vínculo físico en el archivo de script init de Nagios. Esta vulnerabilidad está relacionada con CVE-2016-8641. • http://www.openwall.com/lists/oss-security/2016/12/30/6 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2008-7313 – snoopy: incomplete fixes for command execution flaws
https://notcve.org/view.php?id=CVE-2008-7313
31 Jan 2017 — The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796. La función _httpsrequest en Snoopy permite a atacantes remotos ejecutar comandos arbitrarios. NOTA: este problema existe debido a una solución incompleta para CVE-2008-4796. Various command-execution flaws were found in the Snoopy library included with Nagios. • http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.27 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 0CVE-2014-5009 – snoopy: incomplete fixes for command execution flaws
https://notcve.org/view.php?id=CVE-2014-5009
31 Jan 2017 — Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008. Snoopy permite a atacantes remotos ejecutar comandos arbitrarios. NOTA: esta vulnerabilidad existe debido a una corrección incompleta para CVE-2014-5008. Various command-execution flaws were found in the Snoopy library included with Nagios. • http://rhn.redhat.com/errata/RHSA-2017-0211.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 19%CPEs: 1EXPL: 2CVE-2016-9566 – Nagios < 4.2.4 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2016-9566
15 Dec 2016 — base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. base/logging.c en Nagios Core en versiones anteriores a 4.2.4 permite a usuarios locales con acceso a una cuenta en el grupo nagios obtener privilegios a través de un ataque de symlink al archivo de inicio de sesión. NOTA: esto puede ser aprovechado por atacantes remotos u... • https://www.exploit-db.com/exploits/40921 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 26%CPEs: 1EXPL: 4CVE-2016-9565 – Nagios < 4.2.2 - Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2016-9565
15 Dec 2016 — MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796. MagpieRSS, como es usado en el componente front-end en Nagios Core en versiones anteriores a 4.2.2 podría permitir a atacantes remotos leer o escribir archivos arbitrarios falsificando una respuesta manipulada del servidor de ali... • https://packetstorm.news/files/id/140169 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 2CVE-2016-8641 – Nagios 4.2.2 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2016-8641
02 Dec 2016 — A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change. Se ha encontrado una vulnerabilidad de escalado de privilegios en nagios 4.2.x que ocurre en daemon-init.in al crear archivos necesarios y, posteriormente, cambiar de forma no ... • https://packetstorm.news/files/id/140292 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 1CVE-2008-4796 – Feed2JS File Disclosure
https://notcve.org/view.php?id=CVE-2008-4796
30 Oct 2008 — The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. La función _httpsrequest function (Snoopy/Snoopy.class.php) en Snoopy 1.2.3 y versiones anteriores, cuando es usada en (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost y posi... • https://packetstorm.news/files/id/127352 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •