CVE-2020-13977

NameCVE-2020-13977
DescriptionNagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs962826

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nagios4 (PTS)buster4.3.4-3vulnerable
bullseye, bookworm4.4.6-4fixed
sid, trixie4.4.6-4.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nagios4source(unstable)4.3.4-4962826

Notes

[buster] - nagios4 <no-dsa> (Minor issue)
https://github.com/NagiosEnterprises/nagioscore/commit/8deeca7cad3df1143ad9c351d107b5c0a6c61213
Search for package or bug name: Reporting problems