7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.97 High
EPSS
Percentile
99.7%
Added: 04/13/2010
CVE: CVE-2009-2288
BID: 35464
OSVDB: 55281
Nagios is a network host and service monitoring and management system.
The Nagios statuswml.cgi
script passes unsanitized data to the ping
and traceroute
commands, resulting in shell command execution via metacharacters. A successful remote attacker could use a specially crafted request to execute arbitrary commands.
Upgrade to Nagios 3.1.1 or later.
<http://secunia.com/advisories/35543/>
Exploit works on Nagios 2.11.
Valid Nagios user credentials must be provided.