CVE-2013-2214

status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2) summary, or (3) grid style in status.cgi.  NOTE: this behavior is by design in most 3.x versions, but the upstream vendor "decided to change it for Nagios 4" and 3.5.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
nagiosnagios
3.0
nagiosnagios
3.0:alpha1
nagiosnagios
3.0:alpha2
nagiosnagios
3.0:alpha3
nagiosnagios
3.0:alpha4
nagiosnagios
3.0:alpha5
nagiosnagios
3.0:beta1
nagiosnagios
3.0:beta2
nagiosnagios
3.0:beta3
nagiosnagios
3.0:beta4
nagiosnagios
3.0:beta5
nagiosnagios
3.0:beta6
nagiosnagios
3.0:beta7
nagiosnagios
3.0:rc1
nagiosnagios
3.0:rc2
nagiosnagios
3.0:rc3
nagiosnagios
3.0.1
nagiosnagios
3.0.2
nagiosnagios
3.0.3
nagiosnagios
3.0.4
nagiosnagios
3.0.5
nagiosnagios
3.0.6
nagiosnagios
3.1.0
nagiosnagios
3.1.1
nagiosnagios
3.1.2
nagiosnagios
3.2.0
nagiosnagios
3.2.1
nagiosnagios
3.2.2
nagiosnagios
3.2.3
nagiosnagios
3.3.1
nagiosnagios
3.4.0
nagiosnagios
3.4.1
nagiosnagios
3.4.2
nagiosnagios
3.4.3
nagiosnagios
3.4.4
nagiosnagios
3.5.0
nagiosnagios
4.0.0:beta1
nagiosnagios
4.0.0:beta2
nagiosnagios
4.0.0:beta3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icinga
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
lucid
dne
nagios3
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
lucid
not-affected
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2013-07/msg00029.html
http://lists.opensuse.org/opensuse-updates/2013-07/msg00031.html
http://seclists.org/oss-sec/2013/q2/619
http://seclists.org/oss-sec/2013/q2/622
http://tracker.nagios.org/view.php?id=456
http://lists.opensuse.org/opensuse-updates/2013-07/msg00029.html
http://lists.opensuse.org/opensuse-updates/2013-07/msg00031.html
http://seclists.org/oss-sec/2013/q2/619
http://seclists.org/oss-sec/2013/q2/622
http://tracker.nagios.org/view.php?id=456