Description
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408.
References (6)
Core 6
Core References
Exploit, Third Party Advisory x_refsource_misc
https://anhtai.me/nagios-core-4-4-5-url-injection/
Release Notes, Vendor Advisory x_refsource_misc
https://www.nagios.org/projects/nagios-core/history/4x/
Product, Third Party Advisory x_refsource_misc
https://github.com/sawolf/nagioscore/tree/url-injection-fix
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H7T6MSDWMBJEVVFSOK7DOYJJWDAFQCEQ/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P6NHNG2SJAM6DXVTXQH3AOJ4WQVKJUE/
Scores
CVSS v3
4.9
EPSS
0.0286
EPSS Percentile
84.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-829
Status
published
Products (4)
fedoraproject/fedora
32
fedoraproject/fedora
33
fedoraproject/fedora
34
nagios/nagios
4.4.5
Published
Jun 09, 2020
Tracked Since
Feb 18, 2026