PT-2024-21: OS Command Injection in Pandora FMS

CRITICAL

(9.2) CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

THREATSCAPE

Analytics articles

10 December 2024
Artificial intelligence in cyberattacks
9 December 2024
A look at India through the dark web: what hackers are after
27 November 2024
Cyberthreats in the financial industry: H2 2023 – H1 2024

What are the security threats on your network?

Check your traffic-for free

Request pilot

Vendor: Pandora FMS

Product: Pandora FMS

Vulnerable version: 700-776

Vulnerability type:

- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Identifier (ID):

CVE-2024-35306

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

- Severity (CVSSv3.1): 9.1 (critical)

- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

- Severity (CVSSv4.0): 9.2 (critical)

Description:

The vulnerability was identified in Pandora FMS versions 700 to 776.
The discovered vulnerability can be exploited by an attacker to inject commands into the operating system.

The vulnerability is a part of the chain that leads to remote code execution (PT-2024-20, CVE-2024-35305).

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 10.06.2024

Recommendations: Update to version NG 777 LTS or higher.

Additional information:

Security Bulletin

Release Notes

Researcher: Aleksey Solovev (Positive Technologies)

Identifier:

CVE-2024-35306

BDU:2024-07175

Vendor:

Pandora FMS

Vulnerable product:

Pandora FMS

Get in touch

Fill in the form and our specialists
will contact you shortly

General
questions

We're happy to answer any questions you may have.

Partnership

Join us in making the world a safer place.

Pilot
application

Test drive our solutions with a customized pilot program.