Descriptionstatus.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does not properly restrict access to certain users that are a contact for a service, which allows remote authenticated users to obtain sensitive information about hostnames via the servicegroup (1) overview, (2) summary, or (3) grid style in status.cgi. NOTE: this behavior is by design in most 3.x versions, but the upstream vendor "decided to change it for Nagios 4" and 3.5.1.
|National Vulnerability Database|
This issue is currently rated as having moderate severity.SUSE Bugzilla entry: 827020 [RESOLVED / WONTFIX] SUSE Security Advisories:
- openSUSE-SU-2013:1158-1, published Mon, 8 Jul 2013 10:04:48 +0200 (CEST)
- openSUSE-SU-2013:1160-1, published Mon, 8 Jul 2013 11:04:13 +0200 (CEST)
List of released packages
|Product(s)||Fixed package version(s)||References|
|openSUSE Evergreen 11.4|| ||Patchnames:
|openSUSE Leap 42.1|| ||Patchnames:
openSUSE Leap 42.1 GA nagios
|openSUSE Leap 42.2|| ||Patchnames:
openSUSE Leap 42.2 GA nagios
List of planned updatesThe following information is the current evaluation information for this security issue. It might neither be accurate nor complete, Use at own risk.