PT-2024-20: Unauth Time-Based SQL Injection in Pandora FMS

CRITICAL

(9.3) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

THREATSCAPE

Analytics articles

What are the security threats on your network?

Check your traffic-for free

Request pilot

Vendor: Pandora FMS

Product: Pandora FMS

Vulnerable version: 700-776

Vulnerability type:

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Identifier (ID):

BDU:2024-04832

CVE-2024-35305

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- Severity (CVSSv3.1): 9.8 (critical)

- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

- Severity (CVSSv4.0): 9.3 (critical)

Description:

The vulnerability was identified in Pandora FMS versions 700 to 776.
Due to insufficient sanitization of the authorization header, Time-Based SQL Injection vulnerability may be exploited. The discovered vulnerability can be exploited by an attacker to access sensitive data.

The vulnerability does not require authentication and is a part of the chain that leads to remote code execution (PT-2024-21, CVE-2024-35306).

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 10.06.2024

Recommendations: Update to version NG 777 LTS or higher.

Additional information:

Security Bulletin

Release Notes

Researcher: Aleksey Solovev (Positive Technologies)

Identifier:

CVE-2024-35305

BDU:2024-04832

Vendor:

Pandora FMS

Vulnerable product:

Pandora FMS

Get in touch

Fill in the form and our specialists
will contact you shortly

General
questions

We're happy to answer any questions you may have.

Partnership

Join us in making the world a safer place.

Request a pilot

Test drive our solutions with a customized pilot program.