DescriptionMagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

The RSS feed and call-home was removed in src:nagios3 3.5.1-1 where the affected
function was removed.
The scope of the CVE is specific to Nagios.
impact lessened by the hardened permissions in Debian: files can be extracted, but no backdoor can be installed as the web root is not writable

Search for package or bug name: Reporting problems