Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authenticated remote code execution in Thruk
Vulnerability Description
Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called. The vulnerability can be exploited by an authorized user with network access. This issue has been addressed in version 3.16. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Thruk 安全漏洞
Vulnerability Description
Thruk是德国Sven Nierlein个人开发者的一个开源的多后端监控网络界面。 Thruk 3.16之前版本存在安全漏洞,该漏洞源于在生成PDF报告时没有正确处理 url 参数。具有报告功能访问权限的授权攻击者可以注入任意命令,这些命令将在调用脚本 /script/html2pdf.sh时执行。
CVSS Information
N/A
Vulnerability Type
N/A