PT-2021-11601 · Nagios Xi · Nagios Xi

Published

2021-05-24

Updated

2022-07-12

CVE-2020-28910

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Nagios XI versions 5.7.5 and earlier

Description: The issue involves the creation of a temporary directory with insecure permissions, allowing for privilege escalation through the creation of symlinks. These symlinks are mishandled in the getprofile.sh function.

Recommendations: For Nagios XI versions 5.7.5 and earlier, consider restricting access to the getprofile.sh function until a patch is available. As a temporary workaround, avoid using the getprofile.sh function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

CVE-2020-28910

Affected Products

Nagios Xi

PT-2021-11601 · Nagios Xi · Nagios Xi

CVE-2020-28910

Weakness Enumeration

Related Identifiers

Affected Products

References · 7