oss-sec mailing list archives
Re: CVE Request -- Nagstamon (prior 0.9.10): Monitor server user credentials exposure in automated requests to get update information
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 11 Jul 2013 12:03:43 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/11/2013 11:07 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, an user details information exposure flaw was found in the way Nagstamon, Nagios status monitor for desktop, performed automated requests to get information about available updates. Remote attacker could use this flaw to obtain user credentials for server monitored by the desktop status monitor due to their improper (base64 encoding based) encoding in the HTTP request, when the HTTP Basic authentication scheme was used. References: [1] http://nagstamon.ifw-dresden.de/docs/security/ [2] https://bugs.gentoo.org/show_bug.cgi?id=476538 [3] https://bugzilla.redhat.com/show_bug.cgi?id=983673 Can you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Please use CVE-2013-4114 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR3vN/AAoJEBYNRVNeJnmTn/YP/2nZfxqYxKPdxui1WoFpwMDv IXzGGxHWpF+yATP/C1bx14qxJ8cbjDjkqWVhF4sy1q81bpjCZMGYscp+CT+X7jGD 0dE8d+rlMP4Jh5jaIrnNH9EPwNh8b1HL0OYbXgq2HEBeGc3FS4dPCIteyvtTEv5u KScySH2YR607nC4oC2xOo/feVgCTEuTIdpkXJTTKbWtKsVSOTZo9+06B/ZrvBbVd 7cr3kg4dvXJ+y+7e3zFe7J4X1Qg2TSBjBFODMFCwYpdwTRgT1yWx/TCqx6d5Qwzk gHCCzBvQHMmowD5ARpku8cqwLZ4ZPFHERZ+zn9usQyleEBMFx8ehxOfhaOPAgpO/ v3duOZhzujZHWvLV7+zCph15hjjF2MiY0xbbnhNMiSRF8zrTre/1GZNJeFk/zfik tBSwd27EyL2wqKmie8qHcXtw6Eh+Pvqvs8gqbtOYIrrqLN0rpZd7QX/5Il5d3ACD 8oVnY1HGxAh3tLYCATUtHRLMtDc5UYjT8QciTiDdCdOrOleqEylMh+OBNf/2BUou mmnsTHIc+ekkFGv1ee3IIglPX29o6+d7mJoWwtHeV1OPupKNiLRrXrSi97aDIwda C0acCuXCUfTunDQse2y8gQbqgzbfOM0CF0W+yCWnVfuxdA37m00GMyPwOWCwxkyC p0zjLSxdvUZr4pK0ZP5f =GUAx -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- Nagstamon (prior 0.9.10): Monitor server user credentials exposure in automated requests to get update information Jan Lieskovsky (Jul 11)
- Re: CVE Request -- Nagstamon (prior 0.9.10): Monitor server user credentials exposure in automated requests to get update information Kurt Seifried (Jul 11)