openITCOCKPIT has Authenticated Command Injection Leading to Remote Code Execution via Host Address Macro Expansion

openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

输入验证不恰当

openITCOCKPIT 操作系统命令注入漏洞

openITCOCKPIT是openITCOCKPIT开源的一个系统监控软件。 openITCOCKPIT 5.5.2之前版本存在操作系统命令注入漏洞，该漏洞源于用户控制的属性未经验证即扩展至监控命令模板，可能导致经过身份验证的用户执行任意OS命令。

N/A

N/A