MidnightBSD

Advisories for tildeslash

CVE-2003-1083 HIGH

Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
tildeslash monit 1.4
tildeslash monit 2.0
tildeslash monit 2.1.1
tildeslash monit 2.3
tildeslash monit 2.1
tildeslash monit 3.1
tildeslash monit 4.1
tildeslash monit 3.2
tildeslash monit 2.4
tildeslash monit 4.0
tildeslash monit 2.4.3
tildeslash monit 2.4.1
tildeslash monit 2.2.1
tildeslash monit 3.0
tildeslash monit 2.4.2
tildeslash monit 2.2
tildeslash monit 1.4.1
CVE-2003-1084 MEDIUM

Monit 1.4 to 4.1 allows remote attackers to cause a denial of service (daemon crash) via an HTTP POST request with a negative Content-Length field.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
tildeslash monit 1.4
tildeslash monit 2.0
tildeslash monit 2.1.1
tildeslash monit 2.3
tildeslash monit 2.1
tildeslash monit 3.1
tildeslash monit 4.1
tildeslash monit 3.2
tildeslash monit 2.4
tildeslash monit 4.0
tildeslash monit 2.4.3
tildeslash monit 2.4.1
tildeslash monit 2.2.1
tildeslash monit 3.0
tildeslash monit 2.4.2
tildeslash monit 2.2
tildeslash monit 1.4.1
CVE-2004-1898 HIGH

Stack-based buffer overflow in the administration interface in Monit 1.4 through 4.2 allows remote attackers to execute arbitrary code via a long username.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
tildeslash monit 1.4
tildeslash monit 4.0
tildeslash monit 4.2
tildeslash monit 4.3_beta_2
tildeslash monit 4.1.1
tildeslash monit 3.0
tildeslash monit 3.1
tildeslash monit 4.1
tildeslash monit 3.2
CVE-2004-1899 MEDIUM

The administration interface in Monit 1.4 through 4.2 allows remote attackers to cause an off-by-one overflow via a POST that contains 1024 bytes.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
tildeslash monit 1.4
tildeslash monit 4.0
tildeslash monit 4.2
tildeslash monit 4.3_beta_2
tildeslash monit 4.1.1
tildeslash monit 3.0
tildeslash monit 3.1
tildeslash monit 4.1
tildeslash monit 3.2
CVE-2019-11393 MEDIUM

An issue was discovered in /admin/users/update in M/Monit before 3.7.3. It allows unprivileged users to escalate their privileges to an administrator by requesting a password change and specifying the admin parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-640,

Products Affected

Vendor Product Version
tildeslash monit *
CVE-2019-11455 MEDIUM

A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service (application outage).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
tildeslash monit *
canonical ubuntu_linux 19.04
fedoraproject fedora 31
fedoraproject fedora 32
canonical ubuntu_linux 18.10
debian debian_linux 8.0
CVE-2020-36968

M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
tildeslash m/monit 3.7.4
CVE-2020-36969

M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standard user account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
tildeslash m/monit 3.7.4
CVE-2022-26563

An issue was discovered in Tildeslash Monit before 5.31.0, allows remote attackers to gain escilated privlidges due to improper PAM-authorization.

Products Affected

Vendor Product Version
tildeslash monit *