CVE-2015-1561: Command Injection
First published: Tue Jul 14 2015(Updated: )
The `escape_command` function in `include/Administration/corePerformance/getStats.php` in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (offending file deleted in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the `ns_id` parameter.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/centreon/centreon | <2.8.28 | 2.8.28 |
| Centreon Centreon | <=2.5.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2015-1561
- https://forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb
- http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html
- https://github.com/centreon/centreon-archived/pull/7083
- https://github.com/centreon/centreon-archived/pull/7271
- https://github.com/centreon/centreon-archived/commit/387dffdd051dbc7a234e1138a9d06f3089bb55bb
- https://github.com/centreon/centreon-archived/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a
- https://web.archive.org/web/20201125112637/http://www.securityfocus.com/archive/1/535961/100/0/threaded
- https://github.com/advisories/GHSA-c4fj-3wqq-g9c9 (Advisory)
- http://www.securityfocus.com/archive/1/535961/100/0/threaded
- https://github.com/centreon/centreon/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a#diff-27550b563fa8d660b64bca871a219cb1
- collector/github-advisory
- alias/GHSA-c4fj-3wqq-g9c9
- alias/CVE-2015-1561
- collector/github-advisory-latest
- collector/nvd-index
- agent/author
- agent/references
- agent/weakness
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/centreon
- canonical/centreon centreon
- version/centreon centreon/2.5.4