// For flags

CVE-2014-1878

Debian Security Advisory 2956-1

Severity Score

8.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi.

Desbordamiento de buffer basado en pila en la función cmd_submitf en cgi/cmd.c en Nagios Core, posiblemente 4.0.3rc1 y anteriores e Icinga anterior a 1.8.6, 1.9 anterior a 1.9.5 y 1.10 anterior a 1.10.3 permite a atacantes remotos causar una denegación de servicio (fallo de segmentación) a través de un mensaje largo hacia cmd.cgi.

USN-3253-1 fixed vulnerabilities in Nagios. The update prevented log files from being displayed in the web interface. This update fixes the problem. It was discovered that Nagios incorrectly handled certain long strings. A remote authenticated attacker could use this issue to cause Nagios to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that Nagios incorrectly handled certain long messages to cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to crash, resulting in a denial of service. Dawid Golunski discovered that Nagios incorrectly handled symlinks when accessing log files. A local attacker could possibly use this issue to elevate privileges. In the default installation of Ubuntu, this should be prevented by the Yama link restrictions. Various other issues were also addressed.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-02-06 CVE Reserved
  • 2014-02-28 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-05-27 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 <= 1.8.5
Search vendor "Icinga" for product "Icinga" and version " <= 1.8.5"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.8.0
Search vendor "Icinga" for product "Icinga" and version "1.8.0"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.8.1
Search vendor "Icinga" for product "Icinga" and version "1.8.1"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.8.2
Search vendor "Icinga" for product "Icinga" and version "1.8.2"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.8.3
Search vendor "Icinga" for product "Icinga" and version "1.8.3"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.8.4
Search vendor "Icinga" for product "Icinga" and version "1.8.4"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.9.0
Search vendor "Icinga" for product "Icinga" and version "1.9.0"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.9.1
Search vendor "Icinga" for product "Icinga" and version "1.9.1"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.9.2
Search vendor "Icinga" for product "Icinga" and version "1.9.2"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.9.3
Search vendor "Icinga" for product "Icinga" and version "1.9.3"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.9.4
Search vendor "Icinga" for product "Icinga" and version "1.9.4"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.10.0
Search vendor "Icinga" for product "Icinga" and version "1.10.0"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.10.1
Search vendor "Icinga" for product "Icinga" and version "1.10.1"
-
Affected
Icinga
Search vendor "Icinga"
 Icinga
Search vendor "Icinga" for product "Icinga"
 1.10.2
Search vendor "Icinga" for product "Icinga" and version "1.10.2"
-
Affected
Nagios
Search vendor "Nagios"
 Nagios
Search vendor "Nagios" for product "Nagios"
 <= 4.0.3
Search vendor "Nagios" for product "Nagios" and version " <= 4.0.3"
rc1
Affected
Nagios
Search vendor "Nagios"
 Nagios
Search vendor "Nagios" for product "Nagios"
 4.0.0
Search vendor "Nagios" for product "Nagios" and version "4.0.0"
beta1
Affected
Nagios
Search vendor "Nagios"
 Nagios
Search vendor "Nagios" for product "Nagios"
 4.0.0
Search vendor "Nagios" for product "Nagios" and version "4.0.0"
beta2
Affected
Nagios
Search vendor "Nagios"
 Nagios
Search vendor "Nagios" for product "Nagios"
 4.0.0
Search vendor "Nagios" for product "Nagios" and version "4.0.0"
beta3
Affected
Nagios
Search vendor "Nagios"
 Nagios
Search vendor "Nagios" for product "Nagios"
 4.0.0
Search vendor "Nagios" for product "Nagios" and version "4.0.0"
beta4
Affected
Nagios
Search vendor "Nagios"
 Nagios
Search vendor "Nagios" for product "Nagios"
 4.0.2
Search vendor "Nagios" for product "Nagios" and version "4.0.2"
-
Affected