Detections
Analytics

Check_MK 1.2.2 < 1.2.2p3 / 1.2.3 < 1.2.3i5 Multiple Vulnerabilities

medium Nessus Plugin ID 101086

Language:

Synopsis

An IT monitoring application running on the remote host is affected by multiple vulnerabilities.

Description

The version of Check_MK running on the remote web server is 1.2.2 prior to 1.2.2p3 or 1.2.3 prior to 1.2.3i5. It is, therefore, affected by multiple vulnerabilities :

 - Multiple cross-site script (XSS) vulnerabilities exist due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2014-2329)

 - A flaw exists that allows an authenticated, remote attacker to delete arbitrary files via a request to an unspecified link. (CVE-2014-2332)

Solution

Upgrade to Check_MK version 1.2.2p3 / 1.2.3i5 or later.

See Also

https://www.securityfocus.com/archive/1/531594

https://www.securityfocus.com/archive/1/531656

Plugin Details

Severity: Medium

ID: 101086

File Name: check_mk_1_2_3_i5.nasl

Version: 2.6

Type: remote

Family: CGI abuses

Published: 6/28/2017

Updated: 11/13/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.7

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:check_mk_project:check_mk

Exploit Ease: No known exploits are available

Patch Publication Date: 3/24/2014

Vulnerability Publication Date: 3/24/2014

Reference Information

CVE: CVE-2014-2329, CVE-2014-2332

BID: 66391, 66396