Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-2104 — Improper Input Validation in Munin

CWE-20 — Improper Input Validation7 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

3.7%

top 12.04%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Munin-monitoring Munin Debian Munin Citrix Sd-wan +2 more

Timeline

PublishedAug 26

Latest updateMay 14

Description

cgi-bin/munin-cgi-graph in Munin 2.x writes data to a log file without sanitizing non-printable characters, which might allow user-assisted remote attackers to inject terminal emulator escape sequences and execute arbitrary commands or delete arbitrary files via a crafted HTTP request.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages6 packages

▶debiandebian/munin< munin 2.0~rc6-1 (bookworm)

▶Debianmunin-monitoring/munin< 2.0~rc6-1+3

▶NVDmunin-monitoring/munin2.0, 2.1+1

▶citrixcitrix/sd-wan

▶citrixcitrix/xenserver

🔴Vulnerability Details

GHSA

GHSA-3pm4-hp5q-g8qj: cgi-bin/munin-cgi-graph in Munin 2↗2022-05-14

▶

OSV

CVE-2012-2104: cgi-bin/munin-cgi-graph in Munin 2↗2012-08-26

▶

💥Exploits & PoCs

Exploit-DB

Munin 2.0~rc4-1 - Remote Command Injection↗2012-04-13

▶

📋Vendor Advisories

Debian

CVE-2012-2104: munin - cgi-bin/munin-cgi-graph in Munin 2.x writes data to a log file without sanitizin...↗2012

▶

Citrix

Citrix SD-WAN Multiple Security Updates↗

▶

💬Community

Bugzilla

CVE-2012-2104 munin (munin-cgi-graph, munin-fastcgi-graph): Possibility to inject arbitrary strings into munin-cgi-graph.log↗2012-04-16

▶