Vulnerability Description
Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM command_test.php script. Insufficient validation of the `address` parameter allows an authenticated user with access to the Core Config Manager to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and may be leveraged to execute commands on the underlying XI host, modify system configuration, or fully compromise the host.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nagios | Nagios Xi | < 5.6.14 |
Related Weaknesses (CWE)
References
- https://www.nagios.com/changelog/nagios-xi/Release Notes
- https://www.nagios.com/products/security/#nagios-xiRelease Notes
- https://www.vulncheck.com/advisories/nagios-xi-authenticated-rce-command-test-phThird Party Advisory
FAQ
What is CVE-2020-36856?
CVE-2020-36856 is a vulnerability with a CVSS score of 8.8 (HIGH). Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM command_test.php script. Insufficient validation of the `address` parameter allows an auth...
How severe is CVE-2020-36856?
CVE-2020-36856 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36856?
Check the references section above for vendor advisories and patch information. Affected products include: Nagios Nagios Xi.