PT-2017-16936 · Project Munin+2 · Munin+2
Stevie Trujillo
·
Published
2017-02-22
·
Updated
2024-06-15
·
CVE-2017-6188
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Munin versions prior to 2.999.6
Description
The issue allows for local file write access when CGI graphs are enabled. By setting multiple
upper limit GET parameters, it is possible to overwrite any file accessible to the www-data user. This can be achieved through specific API endpoints, although the exact endpoints are not specified.Recommendations
For versions prior to 2.999.6, update to version 2.999.6 or later to resolve the issue.
As a temporary workaround, consider disabling CGI graphs until a patch is available.
Restrict access to files accessible by the
www-data user to minimize the risk of exploitation.Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Munin
Suse
Ubuntu