Candidate: CVE-2018-12483
PublicDate: 2018-08-04 01:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12483
 https://www.tarlogic.com/en/blog/vulnerabilities-in-ocs-inventory-2-4-1/
Description:
 OCS Inventory 2.4.1 is prone to a remote command-execution vulnerability.
 Specifically, this issue occurs because the content of the
 ipdiscover_analyser rzo GET parameter is concatenated to a string used in
 an exec() call in the PHP code. Authentication is needed in order to
 exploit this vulnerability.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905396
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_ocsinventory-server:
upstream_ocsinventory-server: needs-triage
precise/esm_ocsinventory-server: DNE
trusty_ocsinventory-server: ignored (reached end-of-life)
trusty/esm_ocsinventory-server: DNE (trusty was needs-triage)
xenial_ocsinventory-server: ignored (end of standard support, was needed)
bionic_ocsinventory-server: needed
cosmic_ocsinventory-server: ignored (reached end-of-life)
disco_ocsinventory-server: not-affected (2.5+dfsg-1)
eoan_ocsinventory-server: not-affected (2.5+dfsg-1)
focal_ocsinventory-server: not-affected (2.5+dfsg-1)
groovy_ocsinventory-server: not-affected (2.5+dfsg-1)
hirsute_ocsinventory-server: not-affected (2.5+dfsg-1)
impish_ocsinventory-server: not-affected (2.5+dfsg-1)
jammy_ocsinventory-server: not-affected (2.5+dfsg-1)
devel_ocsinventory-server: not-affected (2.5+dfsg-1)