Re: CVE Request -- Nagstamon (prior 0.9.10): Monitor server user credentials exposure in automated requests to get update information

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/11/2013 11:07 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> an user details information exposure flaw was found in the way
> Nagstamon, Nagios status monitor for desktop, performed automated
> requests to get information about available updates. Remote
> attacker could use this flaw to obtain user credentials for server
> monitored by the desktop status monitor due to their improper
> (base64 encoding based) encoding in the HTTP request, when the HTTP
> Basic authentication scheme was used.
>
> References: [1] http://nagstamon.ifw-dresden.de/docs/security/ [2]
> https://bugs.gentoo.org/show_bug.cgi?id=476538 [3]
> https://bugzilla.redhat.com/show_bug.cgi?id=983673
>
> Can you allocate a CVE id for this?
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team

Please use CVE-2013-4114 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR3vN/AAoJEBYNRVNeJnmTn/YP/2nZfxqYxKPdxui1WoFpwMDv
IXzGGxHWpF+yATP/C1bx14qxJ8cbjDjkqWVhF4sy1q81bpjCZMGYscp+CT+X7jGD
0dE8d+rlMP4Jh5jaIrnNH9EPwNh8b1HL0OYbXgq2HEBeGc3FS4dPCIteyvtTEv5u
KScySH2YR607nC4oC2xOo/feVgCTEuTIdpkXJTTKbWtKsVSOTZo9+06B/ZrvBbVd
7cr3kg4dvXJ+y+7e3zFe7J4X1Qg2TSBjBFODMFCwYpdwTRgT1yWx/TCqx6d5Qwzk
gHCCzBvQHMmowD5ARpku8cqwLZ4ZPFHERZ+zn9usQyleEBMFx8ehxOfhaOPAgpO/
v3duOZhzujZHWvLV7+zCph15hjjF2MiY0xbbnhNMiSRF8zrTre/1GZNJeFk/zfik
tBSwd27EyL2wqKmie8qHcXtw6Eh+Pvqvs8gqbtOYIrrqLN0rpZd7QX/5Il5d3ACD
8oVnY1HGxAh3tLYCATUtHRLMtDc5UYjT8QciTiDdCdOrOleqEylMh+OBNf/2BUou
mmnsTHIc+ekkFGv1ee3IIglPX29o6+d7mJoWwtHeV1OPupKNiLRrXrSi97aDIwda
C0acCuXCUfTunDQse2y8gQbqgzbfOM0CF0W+yCWnVfuxdA37m00GMyPwOWCwxkyC
p0zjLSxdvUZr4pK0ZP5f
=GUAx
-----END PGP SIGNATURE-----