Munin Resource Monitoring < 2.0.6 Multiple Vulnerabilities
Medium Nessus Network Monitor Plugin ID 6948
SynopsisThe remote web server is utilizing a resource monitoring tool
DescriptionMunin is a networked resource monitoring tool. Versions of Munin prior to 2.0.6 are affected by the following vulnerabilities :
- The qmailscan plugin allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names (CVE-2012-2103).
- Munin stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin (CVE-2012-3512).
- munin-cgi-graph, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command (CVE-2012-3513)
SolutionUpdate the affected munin, munin-master and / or munin-node packages to 2.0.6-1 or the latest release.