oss-security - CVE request: unauthorized host/service views displayed in servicegroup view

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20130626183621.GD3638@redhat.com>
Date: Wed, 26 Jun 2013 12:36:21 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: unauthorized host/service views displayed in
 servicegroup view

I don't believe a CVE has been assigned to this issue yet.

It was reported that Nagios 3.4.4 at least, and possibly earlier
versions, would allow users with access to Nagios to obtain full access
to the servicegroup overview, even if they are not authorized to view
all of the systems (not configured for this ability in the
authorized_for_* configuration option).  This includes the servicegroup
overview, summary, and grid.

Provided the user has access to view some services, they will be able to
see all services (including those they should not see).  Note that the
user in question must have access to some services and must have access
to Nagios to begin with.

This has not yet been corrected upstream.

References:

http://www.mail-archive.com/nagios-users@lists.sourceforge.net/msg39749.html
http://tracker.nagios.org/view.php?id=456
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714171
https://bugzilla.redhat.com/show_bug.cgi?id=978531

Thanks.

-- 
Vincent Danen / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.