CVE-2020-14947

NameCVE-2020-14947
DescriptionOCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ocsinventory-server (PTS)jessie2.0.5-1.3fixed
buster (security), buster, buster (lts)2.5+dfsg1-1+deb10u1fixed
bullseye2.8.1+dfsg1-1+deb11u1fixed
sid, trixie, bookworm2.8.1+dfsg1+~2.11.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ocsinventory-serversource(unstable)(not affected)

Notes

- ocsinventory-server <not-affected> (Vulnerable code not resent in a Debian released version)
Introduced in: https://github.com/OCSInventory-NG/OCSInventory-ocsreports/commit/73003df3e5021d8ff094cd4e5b8abb851c99d2ae (2.7)
Fixed by: https://github.com/OCSInventory-NG/OCSInventory-ocsreports/commit/da72e0fddaeceee44fbbd7241e07e5d53d1eee64 (2.8)

Search for package or bug name: Reporting problems