CVE-2024-23118: Centreon updateContactHostCommands SQL Injection Remote Code Execution Vulnerability

April 2, 2024

Centreon updateContactHostCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability.

The specific flaw exists within the updateContactHostCommands function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22298.

References

github.com/advisories/GHSA-2j4g-v4fv-rhwg
github.com/centreon/centreon
github.com/centreon/centreon/commit/c6ee0f67544a70524539b26e8ea92209676a5399
github.com/centreon/centreon/pull/2464
nvd.nist.gov/vuln/detail/CVE-2024-23118
www.zerodayinitiative.com/advisories/ZDI-24-114

Code Behaviors & Features

Detect and mitigate CVE-2024-23118 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →