Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tildeslash | monit | 1.4 |
| tildeslash | monit | 2.0 |
| tildeslash | monit | 2.1.1 |
| tildeslash | monit | 2.3 |
| tildeslash | monit | 2.1 |
| tildeslash | monit | 3.1 |
| tildeslash | monit | 4.1 |
| tildeslash | monit | 3.2 |
| tildeslash | monit | 2.4 |
| tildeslash | monit | 4.0 |
| tildeslash | monit | 2.4.3 |
| tildeslash | monit | 2.4.1 |
| tildeslash | monit | 2.2.1 |
| tildeslash | monit | 3.0 |
| tildeslash | monit | 2.4.2 |
| tildeslash | monit | 2.2 |
| tildeslash | monit | 1.4.1 |
Monit 1.4 to 4.1 allows remote attackers to cause a denial of service (daemon crash) via an HTTP POST request with a negative Content-Length field.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tildeslash | monit | 1.4 |
| tildeslash | monit | 2.0 |
| tildeslash | monit | 2.1.1 |
| tildeslash | monit | 2.3 |
| tildeslash | monit | 2.1 |
| tildeslash | monit | 3.1 |
| tildeslash | monit | 4.1 |
| tildeslash | monit | 3.2 |
| tildeslash | monit | 2.4 |
| tildeslash | monit | 4.0 |
| tildeslash | monit | 2.4.3 |
| tildeslash | monit | 2.4.1 |
| tildeslash | monit | 2.2.1 |
| tildeslash | monit | 3.0 |
| tildeslash | monit | 2.4.2 |
| tildeslash | monit | 2.2 |
| tildeslash | monit | 1.4.1 |
Stack-based buffer overflow in the administration interface in Monit 1.4 through 4.2 allows remote attackers to execute arbitrary code via a long username.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tildeslash | monit | 1.4 |
| tildeslash | monit | 4.0 |
| tildeslash | monit | 4.2 |
| tildeslash | monit | 4.3_beta_2 |
| tildeslash | monit | 4.1.1 |
| tildeslash | monit | 3.0 |
| tildeslash | monit | 3.1 |
| tildeslash | monit | 4.1 |
| tildeslash | monit | 3.2 |
The administration interface in Monit 1.4 through 4.2 allows remote attackers to cause an off-by-one overflow via a POST that contains 1024 bytes.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tildeslash | monit | 1.4 |
| tildeslash | monit | 4.0 |
| tildeslash | monit | 4.2 |
| tildeslash | monit | 4.3_beta_2 |
| tildeslash | monit | 4.1.1 |
| tildeslash | monit | 3.0 |
| tildeslash | monit | 3.1 |
| tildeslash | monit | 4.1 |
| tildeslash | monit | 3.2 |
An issue was discovered in /admin/users/update in M/Monit before 3.7.3. It allows unprivileged users to escalate their privileges to an administrator by requesting a password change and specifying the admin parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-640,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tildeslash | monit | * |
A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service (application outage).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H | 2.8 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tildeslash | monit | * |
| canonical | ubuntu_linux | 19.04 |
| fedoraproject | fedora | 31 |
| fedoraproject | fedora | 32 |
| canonical | ubuntu_linux | 18.10 |
| debian | debian_linux | 8.0 |
M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| disclosure@vulncheck.com | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tildeslash | m/monit | 3.7.4 |
M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standard user account.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| disclosure@vulncheck.com | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tildeslash | m/monit | 3.7.4 |
An issue was discovered in Tildeslash Monit before 5.31.0, allows remote attackers to gain escilated privlidges due to improper PAM-authorization.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tildeslash | monit | * |