ganglia-web before 3.7.1 allows remote attackers to bypass authentication.

Update to ganglia-web 3.7.1, including security fix for CVE-2015-6816.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ganglia-web auth can be bypassed using boolean serialization (CVE-2015-6816).

Ivan Novikov reports :

It's easy to bypass auth by using boolean serialization...

ID	Name	Product	Family	Severity
89452	Fedora 22 : ganglia-3.7.2-6.fc22 (2015-ee7a2b5844)	Nessus	Fedora Local Security Checks	critical
89436	Fedora 23 : ganglia-3.7.2-6.fc23 (2015-de8ba28354)	Nessus	Fedora Local Security Checks	critical
89367	Fedora 21 : ganglia-3.7.2-6.fc21 (2015-accdc7ebfc)	Nessus	Fedora Local Security Checks	critical
87016	Amazon Linux AMI : ganglia (ALAS-2015-612)	Nessus	Amazon Linux Local Security Checks	critical
85863	FreeBSD : ganglia-webfrontend -- auth bypass (d68df01b-564e-11e5-9ad8-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2015-6816

critical

Tenable Plugins

critical

critical

critical

critical

critical