'Re: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: unauthorized host/service views displayed in servicegroup view
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-06-26 19:42:42
Message-ID: 51CB4432.3070606 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/26/2013 12:36 PM, Vincent Danen wrote:
> I don't believe a CVE has been assigned to this issue yet.
> 
> It was reported that Nagios 3.4.4 at least, and possibly earlier 
> versions, would allow users with access to Nagios to obtain full
> access to the servicegroup overview, even if they are not
> authorized to view all of the systems (not configured for this
> ability in the authorized_for_* configuration option).  This
> includes the servicegroup overview, summary, and grid.
> 
> Provided the user has access to view some services, they will be
> able to see all services (including those they should not see).
> Note that the user in question must have access to some services
> and must have access to Nagios to begin with.
> 
> This has not yet been corrected upstream.
> 
> References:
> 
> http://www.mail-archive.com/nagios-users@lists.sourceforge.net/msg39749.html
>
>  http://tracker.nagios.org/view.php?id=456 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714171 
> https://bugzilla.redhat.com/show_bug.cgi?id=978531
> 
> 
> Thanks.

Please use CVE-2013-2214 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRy0QxAAoJEBYNRVNeJnmTmiQQANqHxjDihPtiDF+fOMIEm3Gg
7jegPnW574tdZuiPXSr5bsoUKz9t6CnZ9s0TRNogZfv0w7WiXEQs8uPsttHwAbAP
xsLOI+TJa7VryrCW6J8Nad75zYwuYVsuiwHU8X1T6eijbinr6rTJlTRniDrf16la
5Dn+pu3077Zcao3M2rcsLrtJLDp2eGA0j+n9c1CCA3qgYZ52KjGYJ2GHBuR/lwY8
56+o0W5x4TBxHoRDqYXEb5SIyzMFlvQFWFJUWUGwqdFV+4LR9Kcp8BcoraMtDuLg
Wor1CBuVB4RaYVx9ljb0IcZiQhLG3MllLWe32mXQKQeIvCTtXI2BWxq9g3Q4brzX
V6DL5GFBaGg+zhDIqzwN5LMYsNeYdss/QR8fltnCg6ijUz4MrlEr+J7gtwPipa0A
N+muSm+tValcNRXK1lzz5Emrqz3BOSxIBGuQSNcskO+hpIjpljmUEZ5rprF8FV6v
HEPNgxFLsQ004J0tLjFI1H+CapTpIPIXtOCIYaMuMuwy/O8Q56fxXZSR0EINF/zu
DKjhA5hZd8ICUHqScChopSR7ur7T+XxTD42N18WiPi8+DbhEXuYBWqdRNt3ki8Tc
StVX+mxA4Sd2AHU6wa8G04jaq/MTm5MMaEGkjCmbO6SzpbEuhLDcRrImVX+3Svza
Couxa/Nd733MeYJGcvz6
=wrcn
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic