CVE-2018-20434: OS Command Injection

April 24, 2019 (updated June 4, 2019)

LibreNMS allows remote attackers to execute arbitrary OS commands by using the community parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhostrequest that triggershtml/includes/output/capture.inc.php` command mishandling.

References

nvd.nist.gov/vuln/detail/CVE-2018-20434

Code Behaviors & Features

Detect and mitigate CVE-2018-20434 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →