CVE-2019-13024: Command Injection

July 1, 2019 (updated July 26, 2019)

Centreon allows the attacker to execute arbitrary system commands by using the value “init_script”-“Monitoring Engine Binary” in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

References

packetstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.html
nvd.nist.gov/vuln/detail/CVE-2019-13024

Code Behaviors & Features

Detect and mitigate CVE-2019-13024 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →