CVE-2016-9565

NameCVE-2016-9565
DescriptionMagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-751-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nagios3 (PTS)jessie3.5.1.dfsg-2fixed
jessie (security)3.5.1.dfsg-2+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nagios3source(unstable)3.5.1-1high
nagios3sourcewheezy3.4.1-3+deb7u3highDLA-751-1

Notes

https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
The RSS feed and call-home was removed in src:nagios3 3.5.1-1 where the affected
function was removed.
The scope of the CVE is specific to Nagios.
impact lessened by the hardened permissions in Debian: files can be extracted, but no backdoor can be installed as the web root is not writable

Search for package or bug name: Reporting problems