CVE-2024-39842

Name of the Vulnerable Software and Affected Versions Centreon version 24.04.2

Description A SQL injection vulnerability in Centreon allows a remote high-privileged attacker to execute arbitrary SQL commands via user massive changes inputs. This vulnerability is related to the lack of protection of the SQL query structure, allowing an attacker to elevate their privileges and execute arbitrary code using a specially crafted SQL query.

Recommendations For Centreon version 24.04.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the updateContactServiceCommands MC, updateAccessGroupLinks, and updateContactHostCommands MC functions until a patch is available. Avoid using user massive changes inputs in the affected API endpoints until the issue is resolved.