CVE-2017-6188
published 2017-02-22CVE-2017-6188: Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file…
PriorityP422medium5.5CVSS 3.1
AVLACLPRLUINSUCNIHAN
EPSS
0.42%
33.7th percentile
Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | munin | < munin 2.0.31-1 (bookworm) | munin 2.0.31-1 (bookworm) |
| munin-monitoring | munin | < 2.0.30.1 | 2.0.30.1 |
| munin-monitoring | munin | >= 0 < 2.0.31-1 | 2.0.31-1 |
| munin-monitoring | munin | >= 0 < 2.0.31-1 | 2.0.31-1 |
| munin-monitoring | munin | >= 0 < 2.0.31-1 | 2.0.31-1 |
| munin-monitoring | munin | >= 0 < 2.0.31-1 | 2.0.31-1 |
| munin-monitoring | munin | >= 2.1.0 < 2.999.9 | 2.999.9 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.01.9LOWAV:L/AC:M/Au:N/C:N/I:P/A:N
osv5.5MEDIUM
vendor_debian5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vpvg-79jp-cjw8: Munin before 2
ghsa_unreviewed·2022-05-13
CVE-2017-6188 [MEDIUM] CWE-20 GHSA-vpvg-79jp-cjw8: Munin before 2
Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.
OSV
CVE-2017-6188: Munin before 2
osv·2017-02-22·CVSS 5.5
CVE-2017-6188 [MEDIUM] CVE-2017-6188: Munin before 2
Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.
Ubuntu
Munin vulnerability
vendor_ubuntu·2017-03-02
CVE-2017-6188 Munin vulnerability
Title: Munin vulnerability
Summary: Munin could be made to overwrite files.
It was discovered that Munin incorrectly handled CGI graphs. A remote
attacker could use this issue to overwrite arbitrary files as the www-data
user.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2017-6188: munin - Munin before 2.999.6 has a local file write vulnerability when CGI graphs are en...
vendor_debian·2017·CVSS 5.5
CVE-2017-6188 [MEDIUM] CVE-2017-6188: munin - Munin before 2.999.6 has a local file write vulnerability when CGI graphs are en...
Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.
Scope: local
bookworm: resolved (fixed in 2.0.31-1)
bullseye: resolved (fixed in 2.0.31-1)
forky: resolved (fixed in 2.0.31-1)
sid: resolved (fixed in 2.0.31-1)
trixie: resolved (fixed in 2.0.31-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-6188 munin: Local file write vulnerability with CGI graphs enabled
bugzilla·2017-02-22·CVSS 5.5
CVE-2017-6188 [MEDIUM] CVE-2017-6188 munin: Local file write vulnerability with CGI graphs enabled
CVE-2017-6188 munin: Local file write vulnerability with CGI graphs enabled
Munin has a local file write vulnerability when CGI graphs are enabled. Setting multiple "upper_limit" GET parameters allows overwriting any file accessible to the www-data user.
Upstream bug:
https://github.com/munin-monitoring/munin/issues/721
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705
Discussion:
Created munin tracking bugs for this issue:
Affects: epel-all [bug 1425858]
Affects: fedora-all [bug 1425857]
---
CVE assignment:
http://openwall.com/lists/oss-security/2017/02/22/4
---
This CVE is fixed by Munin upstream 1.5 years ago. The fix is included in current Fedora and EPEL Munin packages (2.0.40).
---
This CVE Bugzilla entry is for community support informational purpos
Bugzilla
CVE-2017-6188 munin: Local file write vulnerability with CGI graphs enabled [epel-all]
bugzilla·2017-02-22·CVSS 5.5
CVE-2017-6188 [MEDIUM] CVE-2017-6188 munin: Local file write vulnerability with CGI graphs enabled [epel-all]
CVE-2017-6188 munin: Local file write vulnerability with CGI graphs enabled [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported v
Bugzilla
CVE-2017-6188 munin: Local file write vulnerability with CGI graphs enabled [fedora-all]
bugzilla·2017-02-22·CVSS 5.5
CVE-2017-6188 [MEDIUM] CVE-2017-6188 munin: Local file write vulnerability with CGI graphs enabled [fedora-all]
CVE-2017-6188 munin: Local file write vulnerability with CGI graphs enabled [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple support
http://www.securityfocus.com/bid/96399https://bugs.debian.org/855705https://github.com/munin-monitoring/munin/issues/721https://security.gentoo.org/glsa/201710-05https://www.debian.org/security/2017/dsa-3794http://www.securityfocus.com/bid/96399https://bugs.debian.org/855705https://github.com/munin-monitoring/munin/issues/721https://security.gentoo.org/glsa/201710-05https://www.debian.org/security/2017/dsa-3794
2017-02-22
Published