CVE-2022-34872

MEDIUM

Centreon - Authenticated SQL Injection via Virtual Metrics Processing

Title source: llm
STIX 2.1

Description

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of Virtual Metrics. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16336.

References (2)

Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://docs.centreon.com/docs/21.10/releases/centreon-core/
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-22-954/

Scores

CVSS v3 6.5
EPSS 0.0187
EPSS Percentile 76.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-89
Status published
Products (1)
centreon/centreon 21.10.2
Published Aug 03, 2022
Tracked Since Feb 18, 2026