[ASA-201905-1] munin: arbitrary file overwrite
Santiago Torres-Arias
santiago at archlinux.org
Tue May 7 20:52:00 UTC 2019
Arch Linux Security Advisory ASA-201905-1
=========================================
Severity: High
Date : 2019-05-06
CVE-ID : CVE-2017-6188
Package : munin
Type : arbitrary file overwrite
Remote : Yes
Link : https://security.archlinux.org/AVG-953
Summary
=======
The package munin before version 2.0.47-1 is vulnerable to arbitrary
file overwrite.
Resolution
==========
Upgrade to 2.0.47-1.
# pacman -Syu "munin>=2.0.47-1"
The problem has been fixed upstream in version 2.0.47.
Workaround
==========
None.
Description
===========
A vulnerability in munin allows attackers to overwrite any file
accessible to the webserver user by setting multiple upper_limit GET
parameters when CGI graphs are enabled.
Impact
======
A remote attacker is able to overwrite arbitrary files on the
filesystem.
References
==========
https://bugs.archlinux.org/task/57537
https://www.debian.org/security/2017/dsa-3794
https://github.com/munin-monitoring/munin/pull/797/commits/42ce18f24d3eae8be33526a198bf21e4f2330230
https://security.archlinux.org/CVE-2017-6188
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190507/a4926db6/attachment.sig>
More information about the arch-security
mailing list