CVE-2013-7108: Input Validation
First published: Wed Jan 15 2014(Updated: )
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nagios Plugins | <=4.0.2 | |
| Nagios Plugins | =3.0 | |
| Nagios Plugins | =3.0-alpha1 | |
| Nagios Plugins | =3.0-alpha2 | |
| Nagios Plugins | =3.0-alpha3 | |
| Nagios Plugins | =3.0-alpha4 | |
| Nagios Plugins | =3.0-alpha5 | |
| Nagios Plugins | =3.0-beta1 | |
| Nagios Plugins | =3.0-beta2 | |
| Nagios Plugins | =3.0-beta3 | |
| Nagios Plugins | =3.0-beta4 | |
| Nagios Plugins | =3.0-beta5 | |
| Nagios Plugins | =3.0-beta6 | |
| Nagios Plugins | =3.0-beta7 | |
| Nagios Plugins | =3.0-rc1 | |
| Nagios Plugins | =3.0-rc2 | |
| Nagios Plugins | =3.0-rc3 | |
| Nagios Plugins | =3.0.1 | |
| Nagios Plugins | =3.0.2 | |
| Nagios Plugins | =3.0.3 | |
| Nagios Plugins | =3.0.4 | |
| Nagios Plugins | =3.0.5 | |
| Nagios Plugins | =3.0.6 | |
| Nagios Plugins | =3.1.0 | |
| Nagios Plugins | =3.1.1 | |
| Nagios Plugins | =3.1.2 | |
| Nagios Plugins | =3.2.0 | |
| Nagios Plugins | =3.2.1 | |
| Nagios Plugins | =3.2.2 | |
| Nagios Plugins | =3.2.3 | |
| Nagios Plugins | =3.3.1 | |
| Nagios Plugins | =3.4.0 | |
| Nagios Plugins | =3.4.1 | |
| Nagios Plugins | =3.4.2 | |
| Nagios Plugins | =3.4.3 | |
| Nagios Plugins | =3.5.1 | |
| Icinga Icinga Web 2 | <=1.8.4 | |
| Icinga Icinga Web 2 | =0.8.0 | |
| Icinga Icinga Web 2 | =0.8.1 | |
| Icinga Icinga Web 2 | =0.8.2 | |
| Icinga Icinga Web 2 | =0.8.3 | |
| Icinga Icinga Web 2 | =0.8.4 | |
| Icinga Icinga Web 2 | =1.0 | |
| Icinga Icinga Web 2 | =1.0-rc1 | |
| Icinga Icinga Web 2 | =1.0.1 | |
| Icinga Icinga Web 2 | =1.0.2 | |
| Icinga Icinga Web 2 | =1.0.3 | |
| Icinga Icinga Web 2 | =1.2.0 | |
| Icinga Icinga Web 2 | =1.2.1 | |
| Icinga Icinga Web 2 | =1.3.0 | |
| Icinga Icinga Web 2 | =1.3.1 | |
| Icinga Icinga Web 2 | =1.4.0 | |
| Icinga Icinga Web 2 | =1.4.1 | |
| Icinga Icinga Web 2 | =1.6.0 | |
| Icinga Icinga Web 2 | =1.6.1 | |
| Icinga Icinga Web 2 | =1.6.2 | |
| Icinga Icinga Web 2 | =1.7.0 | |
| Icinga Icinga Web 2 | =1.7.1 | |
| Icinga Icinga Web 2 | =1.7.2 | |
| Icinga Icinga Web 2 | =1.7.3 | |
| Icinga Icinga Web 2 | =1.7.4 | |
| Icinga Icinga Web 2 | =1.8.0 | |
| Icinga Icinga Web 2 | =1.8.1 | |
| Icinga Icinga Web 2 | =1.8.2 | |
| Icinga Icinga Web 2 | =1.8.3 | |
| Icinga Icinga Web 2 | =1.9.0 | |
| Icinga Icinga Web 2 | =1.9.1 | |
| Icinga Icinga Web 2 | =1.9.2 | |
| Icinga Icinga Web 2 | =1.9.3 | |
| Icinga Icinga Web 2 | =1.10.0 | |
| Icinga Icinga Web 2 | =1.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00068.html
- http://secunia.com/advisories/55976
- http://secunia.com/advisories/56316
- http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:004
- http://www.openwall.com/lists/oss-security/2013/12/24/1
- http://www.securityfocus.com/bid/64363
- https://dev.icinga.org/issues/5251
- https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html
- https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/
Frequently Asked Questions
What is the severity of CVE-2013-7108?
CVE-2013-7108 has a severity rating of medium, indicating potential for compromise if exploited.
How do I fix CVE-2013-7108?
To fix CVE-2013-7108, update Nagios to version 4.0.3 or later and Icinga to version 1.10.2 or later.
Which versions of Nagios are affected by CVE-2013-7108?
Affected versions of Nagios include 3.5.1 and 4.0.2 and earlier.
Which versions of Icinga are affected by CVE-2013-7108?
Icinga versions before 1.8.5, specifically 1.9 before 1.9.4 and 1.10 before 1.10.2 are affected.
Can CVE-2013-7108 lead to denial of service attacks?
Yes, CVE-2013-7108 can allow remote authenticated users to cause a denial of service (crash) through specially crafted input.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/nagios
- canonical/nagios plugins
- version/nagios plugins/4.0.2
- version/nagios plugins/3.0
- version/nagios plugins/3.0-alpha1
- version/nagios plugins/3.0-alpha2
- version/nagios plugins/3.0-alpha3
- version/nagios plugins/3.0-alpha4
- version/nagios plugins/3.0-alpha5
- version/nagios plugins/3.0-beta1
- version/nagios plugins/3.0-beta2
- version/nagios plugins/3.0-beta3
- version/nagios plugins/3.0-beta4
- version/nagios plugins/3.0-beta5
- version/nagios plugins/3.0-beta6
- version/nagios plugins/3.0-beta7
- version/nagios plugins/3.0-rc1
- version/nagios plugins/3.0-rc2
- version/nagios plugins/3.0-rc3
- version/nagios plugins/3.0.1
- version/nagios plugins/3.0.2
- version/nagios plugins/3.0.3
- version/nagios plugins/3.0.4
- version/nagios plugins/3.0.5
- version/nagios plugins/3.0.6
- version/nagios plugins/3.1.0
- version/nagios plugins/3.1.1
- version/nagios plugins/3.1.2
- version/nagios plugins/3.2.0
- version/nagios plugins/3.2.1
- version/nagios plugins/3.2.2
- version/nagios plugins/3.2.3
- version/nagios plugins/3.3.1
- version/nagios plugins/3.4.0
- version/nagios plugins/3.4.1
- version/nagios plugins/3.4.2
- version/nagios plugins/3.4.3
- version/nagios plugins/3.5.1
- vendor/icinga
- canonical/icinga icinga web 2
- version/icinga icinga web 2/1.8.4
- version/icinga icinga web 2/0.8.0
- version/icinga icinga web 2/0.8.1
- version/icinga icinga web 2/0.8.2
- version/icinga icinga web 2/0.8.3
- version/icinga icinga web 2/0.8.4
- version/icinga icinga web 2/1.0
- version/icinga icinga web 2/1.0-rc1
- version/icinga icinga web 2/1.0.1
- version/icinga icinga web 2/1.0.2
- version/icinga icinga web 2/1.0.3
- version/icinga icinga web 2/1.2.0
- version/icinga icinga web 2/1.2.1
- version/icinga icinga web 2/1.3.0
- version/icinga icinga web 2/1.3.1
- version/icinga icinga web 2/1.4.0
- version/icinga icinga web 2/1.4.1
- version/icinga icinga web 2/1.6.0
- version/icinga icinga web 2/1.6.1
- version/icinga icinga web 2/1.6.2
- version/icinga icinga web 2/1.7.0
- version/icinga icinga web 2/1.7.1
- version/icinga icinga web 2/1.7.2
- version/icinga icinga web 2/1.7.3
- version/icinga icinga web 2/1.7.4
- version/icinga icinga web 2/1.8.0
- version/icinga icinga web 2/1.8.1
- version/icinga icinga web 2/1.8.2
- version/icinga icinga web 2/1.8.3
- version/icinga icinga web 2/1.9.0
- version/icinga icinga web 2/1.9.1
- version/icinga icinga web 2/1.9.2
- version/icinga icinga web 2/1.9.3
- version/icinga icinga web 2/1.10.0
- version/icinga icinga web 2/1.10.1