Upstream information

CVE-2017-6188 at MITRE

Description

Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 1.85
Vector AV:L/AC:M/Au:N/C:N/I:P/A:N
Access Vector Local
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
CVSS v3 Scores
  National Vulnerability Database
Base Score 4.7
Vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Access Vector Local
Access Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact High
Availability Impact None
SUSE Bugzilla entry: 1026539 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 42.1
  • munin >= 2.0.25-7.1
  • munin-node >= 2.0.25-7.1
Patchnames:
openSUSE-2017-310
openSUSE Leap 42.2
  • munin >= 2.0.25-9.1
  • munin-node >= 2.0.25-9.1
Patchnames:
openSUSE-2017-310