OpenCVE

An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nagios	Nagios Xi

Configuration 1 [-]

cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html
http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html
https://www.nagios.com/downloads/nagios-xi/change-log/
https://www.nagios.com/products/security/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-01-13T20:19:50

Updated: 2024-08-04T17:09:14.253Z

Reserved: 2020-12-20T00:00:00

Link: CVE-2020-35578

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-01-13T21:15:12.647

Modified: 2024-11-21T05:27:37.497

Link: CVE-2020-35578

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-04-15T15:06:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.nagios.com/products/security/"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-35578", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.nagios.com/downloads/nagios-xi/change-log/", "refsource": "MISC", "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"}, {"name": "https://www.nagios.com/products/security/", "refsource": "CONFIRM", "url": "https://www.nagios.com/products/security/"}, {"name": "http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:09:14.253Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.nagios.com/products/security/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-35578", "datePublished": "2021-01-13T20:19:50", "dateReserved": "2020-12-20T00:00:00", "dateUpdated": "2024-08-04T17:09:14.253Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C5E0E33-4BD8-4FFE-9DF3-DB42D84495CB", "versionEndExcluding": "5.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands."}, {"lang": "es", "value": "Se detect\u00f3 un problema en la p\u00e1gina Manage Plugins en Nagios XI versiones anteriores a 5.8.0. Debido a que la funcionalidad line-ending conversion es manejada inapropiadamente durante la carga de un plugin, un usuario administrador autenticado y remoto puede ejecutar comandos del sistema operativo."}], "id": "CVE-2020-35578", "lastModified": "2024-11-21T05:27:37.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-13T21:15:12.647", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.nagios.com/products/security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.nagios.com/downloads/nagios-xi/change-log/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.nagios.com/products/security/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}