CVE-2024-23117

Centreon updateContactServiceCommands SQL Injection Remote Code Execution Vulnerability

CVE ID CVE-2024-23117

CVSS SCORE 7.2, AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AFFECTED VENDORS Centreon

AFFECTED PRODUCTS Centreon

VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability.

The specific flaw exists within the updateContactServiceCommands function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account.

ADDITIONAL DETAILS

Fixed in Centreon-web versions 22.10.15, 23.04.10 and 23.10.1

https://github.com/centreon/centreon/pull/2464

DISCLOSURE TIMELINE

2023-11-28 - Vulnerability reported to vendor

2024-02-09 - Coordinated public release of advisory

2024-07-01 - Advisory Updated

CREDIT Rocco Calvi (@TecR0c) with TecSecurity