CVE-2013-7108

Name
CVE-2013-7108
Description
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://dev.icinga.org/issues/5251
Vendor Advisory http://secunia.com/advisories/56316
Vendor Advisory http://secunia.com/advisories/55976
MLIST http://www.openwall.com/lists/oss-security/2013/12/24/1
CONFIRM https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/
SUSE http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
SUSE http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html
CONFIRM http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
SUSE http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2014:004
SUSE http://lists.opensuse.org/opensuse-updates/2014-01/msg00068.html
BID http://www.securityfocus.com/bid/64363
MLIST https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nagios:nagios:3.0:alpha1:*:*:*:*:*:* nagios == None == 3.0
cpe:2.3:a:nagios:nagios:3.0.3:*:*:*:*:*:*:* nagios == None == 3.0.3
cpe:2.3:a:nagios:nagios:3.0.4:*:*:*:*:*:*:* nagios == None == 3.0.4
cpe:2.3:a:nagios:nagios:3.2.1:*:*:*:*:*:*:* nagios == None == 3.2.1
cpe:2.3:a:nagios:nagios:3.2.2:*:*:*:*:*:*:* nagios == None == 3.2.2
cpe:2.3:a:nagios:nagios:3.2.3:*:*:*:*:*:*:* nagios == None == 3.2.3
cpe:2.3:a:nagios:nagios:*:*:*:*:*:*:*:* nagios >= None <= 4.0.2
cpe:2.3:a:nagios:nagios:3.0.1:*:*:*:*:*:*:* nagios == None == 3.0.1
cpe:2.3:a:nagios:nagios:3.0.2:*:*:*:*:*:*:* nagios == None == 3.0.2
cpe:2.3:a:nagios:nagios:3.1.2:*:*:*:*:*:*:* nagios == None == 3.1.2
cpe:2.3:a:nagios:nagios:3.2.0:*:*:*:*:*:*:* nagios == None == 3.2.0
cpe:2.3:a:nagios:nagios:3.4.3:*:*:*:*:*:*:* nagios == None == 3.4.3
cpe:2.3:a:nagios:nagios:3.5.1:*:*:*:*:*:*:* nagios == None == 3.5.1
cpe:2.3:a:nagios:nagios:3.1.0:*:*:*:*:*:*:* nagios == None == 3.1.0
cpe:2.3:a:nagios:nagios:3.1.1:*:*:*:*:*:*:* nagios == None == 3.1.1
cpe:2.3:a:nagios:nagios:3.4.1:*:*:*:*:*:*:* nagios == None == 3.4.1
cpe:2.3:a:nagios:nagios:3.4.2:*:*:*:*:*:*:* nagios == None == 3.4.2
cpe:2.3:a:nagios:nagios:3.0.5:*:*:*:*:*:*:* nagios == None == 3.0.5
cpe:2.3:a:nagios:nagios:3.0.6:*:*:*:*:*:*:* nagios == None == 3.0.6
cpe:2.3:a:nagios:nagios:3.3.1:*:*:*:*:*:*:* nagios == None == 3.3.1
cpe:2.3:a:nagios:nagios:3.4.0:*:*:*:*:*:*:* nagios == None == 3.4.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nagios 3.12-main 3.5.1-r6 Carlo Landmeter <clandmeter@gmail.com> possibly vulnerable
nagios 3.11-main 3.5.1-r6 Carlo Landmeter <clandmeter@gmail.com> possibly vulnerable