Debian: DSA-3495-1 Moderate: Xymon Security Flaws and Risks
debian
February 29, 2016
Markus Krell discovered that xymon, a network- and applications-monitoring system, was vulnerable to the following security issues:
Topics Covered
Summary
CVE-2016-2054
The incorrect handling of user-supplied input in the "config"
command can trigger a stack-based buffer overflow, resulting in
denial of service (via application crash) or remote code execution.
CVE-2016-2055
The incorrect handling of user-supplied input in the "config"
command can lead to an information leak by serving sensitive
configuration files to a remote user.
CVE-2016-2056
The commands handling password management do not properly validate
user-supplied input, and are thus vulnerable to shell command
injection by a remote user.
CVE-2016-2057
Incorrect permissions on an internal queuing system allow a user
with a local account on the xymon master server to bypass all
network-based access control lists, and thus inject messages
directly into xymon.
CVE-2016-2058
Incorrect escaping of user-supplied input in status webpages can
be used to trigger reflected cross-site scripting attacks.
For the stable distribution (jessie), these problems have been fixed in
v...
PREVIOUS
NEXT
Package: xymon
CVE ID: CVE-2016-2054 CVE-2016-2055 CVE-2016-2056 CVE-2016-2057
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!