PT-2024-14: Path Traversal and Untrusted Upload File in Pandora FMS

HIGH

(8.6) CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Check your traffic-for free

Vendor: Pandora FMS

Product: Pandora FMS

Vulnerable version: 700-776

Vulnerability type:

- CWE-35: Path Traversal: '.../...//'

Identifier (ID):

BDU:2024-03167

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

- Severity (CVSSv3.1): 9.1 (critical)

Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

- Severity (CVSSv4.0): 8.6 (high)

Description:

The vulnerability was identified in Pandora FMS, versions from 700 through <776.

The vulnerability allows to modify directories, create and upload files outside of authorized directories.

The vulnerability is a part of a chain that leads to remote code execution and complete server compromise (PT-ID-2024-13, CVE-2023-44090).

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 10.01.2024

Recommendations: Update to version NG 776 RRR or higher.

Additional information:

- Release notes
- Security Bulletin
- Press-Release

Researcher: Aleksey Solovev (Positive Technologies)

Identifier:

CVE-2023-41793

BDU:2024-03167

Vendor:

Pandora FMS

Vulnerable product:

Pandora FMS

Get in touch

Fill in the form and our specialists
will contact you shortly

General
questions

We're happy to answer any questions you may have.

Partnership

Join us in making the world a safer place.

Request a pilot

Test drive our solutions with a customized pilot program.