CVE-2024-23117: Centreon updateContactServiceCommands SQL Injection Remote Code Execution Vulnerability

April 2, 2024

Centreon updateContactServiceCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability.

The specific flaw exists within the updateContactServiceCommands function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22297.

References

github.com/advisories/GHSA-j8hg-v5qv-9m28
github.com/centreon/centreon
github.com/centreon/centreon/commit/c6ee0f67544a70524539b26e8ea92209676a5399
github.com/centreon/centreon/pull/2464
nvd.nist.gov/vuln/detail/CVE-2024-23117
www.zerodayinitiative.com/advisories/ZDI-24-115

Code Behaviors & Features

Detect and mitigate CVE-2024-23117 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →