CVE-2022-34872: Centreon Virtual Metrics SQL Injection Information Disclosure Vulnerability
First published: Wed Aug 03 2022(Updated: )
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of Virtual Metrics. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16336.
Credit: zdi-disclosures@trendmicro.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Centreon Centreon | =21.10.2 | |
| Centreon Centreon |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2022-34872.
What is the title of the vulnerability?
The title of the vulnerability is Centreon Virtual Metrics SQL Injection Information Disclosure Vulnerability.
What is the severity of CVE-2022-34872?
The severity of CVE-2022-34872 is medium with a CVSS score of 6.5.
What software versions are affected by CVE-2022-34872?
The affected software version is Centreon Centreon 21.10.2.
How can this vulnerability be exploited?
To exploit this vulnerability, remote attackers need to authenticate and can then disclose sensitive information through SQL injection in Centreon's Virtual Metrics processing.
- collector/nvd-index
- collector/zdi-advisory
- alias/ZDI-22-954
- alias/ZDI-CAN-16336
- alias/CVE-2022-34872
- vendor/centreon
- canonical/centreon centreon
- version/centreon centreon/21.10.2