CVE-2022-34872
MEDIUMCentreon - Authenticated SQL Injection via Virtual Metrics Processing
Title source: llmDescription
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of Virtual Metrics. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16336.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://docs.centreon.com/docs/21.10/releases/centreon-core/
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-22-954/
Scores
CVSS v3
6.5
EPSS
0.0187
EPSS Percentile
76.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-89
Status
published
Products (1)
centreon/centreon
21.10.2
Published
Aug 03, 2022
Tracked Since
Feb 18, 2026