CVE-2021-3325

Monitorix 3.13.0 allows remote attackers to bypass Basic Authentication in a default installation (i.e., an installation without a hosts_deny option). This issue occurred because a new access-control feature was introduced without considering that some exiting installations became unsafe, upon an update to 3.13.0, unless the new feature was immediately configured.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
VendorProductVersion
fibranetmonitorix
3.13.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
monitorix
groovy
not-affected
focal
not-affected
bionic
dne
xenial
dne
trusty
dne
References
https://github.com/mikaku/Monitorix/commit/d6816e20da1a98bcdc6372d9c36a093df5238f4a
https://github.com/mikaku/Monitorix/compare/v3.13.0...v3.13.1
https://github.com/mikaku/Monitorix/issues/309
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/67DDUU56LP76AJ2K7WJ733QPL2FHKKNG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGG6WK44CYY6GEFRTCUEDANVNSX5NDH7/
https://www.monitorix.org/news.html?n=20210127
https://github.com/mikaku/Monitorix/commit/d6816e20da1a98bcdc6372d9c36a093df5238f4a
https://github.com/mikaku/Monitorix/compare/v3.13.0...v3.13.1
https://github.com/mikaku/Monitorix/issues/309
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/67DDUU56LP76AJ2K7WJ733QPL2FHKKNG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGG6WK44CYY6GEFRTCUEDANVNSX5NDH7/
https://www.monitorix.org/news.html?n=20210127