CVE-2020-13977

MEDIUM

Nagios 4.4.5 - Privilege Escalation

Title source: llm

Description

Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408.

References (6)

[Exploit, Third Party Advisory] https://anhtai.me/nagios-core-4-4-5-url-injection/

[Release Notes, Vendor Advisory] https://www.nagios.org/projects/nagios-core/history/4x/

[Product, Third Party Advisory] https://github.com/sawolf/nagioscore/tree/url-injection-fix

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H7T6MSDWMBJEVVFSOK7DOYJJWDAFQCEQ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P6NHNG2SJAM6DXVTXQH3AOJ4WQVKJUE/

Scores

CVSS v3 4.9

EPSS 0.0187

EPSS Percentile 83.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-829

Status published

Products (4)

fedoraproject/fedora 32

fedoraproject/fedora 33

fedoraproject/fedora 34

nagios/nagios 4.4.5

Published Jun 09, 2020

Tracked Since Feb 18, 2026