The get_group_tree function in lib/Munin/Master/HTMLConfig.pm in Munin before 2.0.18 allows remote nodes to cause a denial of service (infinite loop and memory consumption in the munin-html process) via crafted multigraph data.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| munin-monitoring | munin | * |
| munin-monitoring | munin | 2.0.11.1 |
| munin-monitoring | munin | 2.0.0 |
| munin-monitoring | munin | 2.0.11 |
| munin-monitoring | munin | 2.0.5 |
| munin-monitoring | munin | 2.0.4 |
| munin-monitoring | munin | 2.0.9 |
| munin-monitoring | munin | 2.0.12 |
| munin-monitoring | munin | 2.0.8 |
| munin-monitoring | munin | 2.0.16 |
| munin-monitoring | munin | 2.0.2 |
| munin-monitoring | munin | 2.0.3 |
| munin-monitoring | munin | 2.0.10 |
| munin-monitoring | munin | 2.0.6 |
| munin-monitoring | munin | 2.0.14 |
| munin-monitoring | munin | 2.0.15 |
| munin-monitoring | munin | 2.0.1 |
| munin-monitoring | munin | 2.0.13 |
| munin-monitoring | munin | 2.0.7 |
Munin::Master::Node in Munin before 2.0.18 allows remote attackers to cause a denial of service (abort data collection for node) via a plugin that uses "multigraph" as a multigraph service name.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| munin-monitoring | munin | * |
| munin-monitoring | munin | 2.0.11.1 |
| munin-monitoring | munin | 2.0.0 |
| munin-monitoring | munin | 2.0.11 |
| munin-monitoring | munin | 2.0.5 |
| munin-monitoring | munin | 2.0.4 |
| munin-monitoring | munin | 2.0.9 |
| munin-monitoring | munin | 2.0.12 |
| munin-monitoring | munin | 2.0.8 |
| munin-monitoring | munin | 2.0.16 |
| munin-monitoring | munin | 2.0.2 |
| munin-monitoring | munin | 2.0.3 |
| munin-monitoring | munin | 2.0.10 |
| munin-monitoring | munin | 2.0.6 |
| munin-monitoring | munin | 2.0.14 |
| munin-monitoring | munin | 2.0.15 |
| munin-monitoring | munin | 2.0.1 |
| munin-monitoring | munin | 2.0.13 |
| munin-monitoring | munin | 2.0.7 |
Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| munin-monitoring | munin | * |
| debian | debian_linux | 8.0 |