CVE-2016-7067

NameCVE-2016-7067
DescriptionMonit before version 5.20.0 is vulnerable to a cross site request forgery attack. Successful exploitation will enable an attacker to disable/enable all monitoring for a particular host or disable/enable monitoring for a specific service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-732-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
monit (PTS)stretch1:5.20.0-6+deb9u1fixed
bullseye1:5.27.0-1fixed
sid1:5.27.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
monitsourcewheezy1:5.4-2+deb7u1DLA-732-1
monitsource(unstable)1:5.20.0-1

Notes

[jessie] - monit <no-dsa> (Minor issue)
https://bitbucket.org/tildeslash/monit/commits/c6ec3820e627f85417053e6336de2987f2d863e3?at=master
Although configured only on localhost, the httpd service is started by
default and accessible.

Search for package or bug name: Reporting problems