PT-2024-15: Unauth Time-based SQL Injection in Pandora FMS

Vendor: Pandora FMS

Product: Pandora FMS

Vulnerable version: 700-776

Vulnerability type:

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Identifier (ID):

BDU:2024-03165

CVE-2023-44091

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

- Severity (CVSSv3.1): 9.1 (critical)

Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

- Severity (CVSSv4.0): 8.8 (high)

Description:

The vulnerability was identified in Pandora FMS, versions from 700 through

The vulnerability can be exploited without authentication. It allows to gain access to arbitrary data from database.

The vulnerability is a part of a chain that leads to remote code execution and complete server compromise (PT-ID-2024-16, CVE-2023-44092).

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 10.01.2024

Recommendations: Update to version NG 776 RRR or higher.

Additional information:

- Release notes
- Security Bulletin
- Press-Release

Researcher: Aleksey Solovev (Positive Technologies)