CVE-2021-37558

Name of the Vulnerable Software and Affected Versions Centreon versions prior to 20.04.14 Centreon versions prior to 20.10.8 Centreon versions prior to 21.04.2

Description The issue is related to a lack of protection against SQL query structure exploitation in the MediaWiki script used by Centreon. This allows a remote attacker to execute arbitrary SQL commands using the host name and service description parameters. The vulnerability can only be exploited when a valid Knowledge Base URL is configured and points to a MediaWiki instance, relating to the proxy feature in specific Centreon classes and configuration files.

Recommendations For Centreon versions prior to 20.04.14, update to version 20.04.14 or later. For Centreon versions prior to 20.10.8, update to version 20.10.8 or later. For Centreon versions prior to 21.04.2, update to version 21.04.2 or later. As a temporary workaround, consider restricting access to the host name and service description parameters in the affected MediaWiki script until a patch is available. Restrict access to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php to minimize the risk of exploitation.