[ASA-201905-1] munin: arbitrary file overwrite

Santiago Torres-Arias santiago at archlinux.org
Tue May 7 20:52:00 UTC 2019


Arch Linux Security Advisory ASA-201905-1
=========================================

Severity: High
Date    : 2019-05-06
CVE-ID  : CVE-2017-6188
Package : munin
Type    : arbitrary file overwrite
Remote  : Yes
Link    : https://security.archlinux.org/AVG-953

Summary
=======

The package munin before version 2.0.47-1 is vulnerable to arbitrary
file overwrite.

Resolution
==========

Upgrade to 2.0.47-1.

# pacman -Syu "munin>=2.0.47-1"

The problem has been fixed upstream in version 2.0.47.

Workaround
==========

None.

Description
===========

A vulnerability in munin allows attackers to overwrite any file
accessible to the webserver user by setting multiple upper_limit GET
parameters when CGI graphs are enabled.

Impact
======

A remote attacker is able to overwrite arbitrary files on the
filesystem.

References
==========

https://bugs.archlinux.org/task/57537
https://www.debian.org/security/2017/dsa-3794
https://github.com/munin-monitoring/munin/pull/797/commits/42ce18f24d3eae8be33526a198bf21e4f2330230
https://security.archlinux.org/CVE-2017-6188
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190507/a4926db6/attachment.sig>


More information about the arch-security mailing list