LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

nagios: information disclosure

Package(s):nagios CVE #(s):CVE-2013-2214
Created:July 8, 2013 Updated:July 10, 2013
Description: From the SUSE bugzilla entry:

It was reported that Nagios 3.4.4 at least, and possibly earlier versions, would allow users with access to Nagios to obtain full access to the servicegroup overview, even if they are not authorized to view all of the systems (not configured for this ability in the authorized_for_* configuration option). This includes the servicegroup overview, summary, and grid.

Provided the user has access to view some services, they will be able to see all services (including those they should not see). Note that the user in question must have access to some services and must have access to Nagios to begin with.

Alerts:
openSUSE openSUSE-SU-2013:1158-1 2013-07-08
openSUSE openSUSE-SU-2013:1160-1 2013-07-08
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds