CVE-2013-2214

status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2) summary, or (3) grid style in status.cgi. NOTE: this behavior is by design in most 3.x versions, but the upstream vendor "decided to change it for Nagios 4" and 3.5.1.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
icinga	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not in release
nagios3	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not affected

Notes

seth-arnold

Icinga asserts not-affected despite reports to the contrary

mdeslaur

this CVE has been rejected: http://www.openwall.com/lists/oss-security/2013/08/02/3

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
nagios3	Other: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=nagios3_status_cgi_servicegroup.debdiff;att=1;bug=714171 Upstream: http://tracker.nagios.org/file_download.php?file_id=182&type=bug

Status

Notes

seth-arnold

mdeslaur

Patch details

References

Other references