CVE-2017-6188

Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
VendorProductVersion
munin-monitoringmunin
𝑥
< 2.0.30.1
munin-monitoringmunin
2.1.0 ≤
𝑥
< 2.999.9
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
munin
bullseye
2.0.67-3
fixed
bookworm
2.0.73-1
fixed
sid
2.0.76-1
fixed
trixie
2.0.76-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
munin
yakkety
Fixed 2.0.25-2ubuntu0.16.10.2
released
xenial
Fixed 2.0.25-2ubuntu0.16.04.2
released
trusty
Fixed 2.0.19-3ubuntu0.2
released
precise
not-affected
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/96399
https://bugs.debian.org/855705
https://github.com/munin-monitoring/munin/issues/721
https://security.gentoo.org/glsa/201710-05
https://www.debian.org/security/2017/dsa-3794
http://www.securityfocus.com/bid/96399
https://bugs.debian.org/855705
https://github.com/munin-monitoring/munin/issues/721
https://security.gentoo.org/glsa/201710-05
https://www.debian.org/security/2017/dsa-3794