PublicDateAtUSN: 2019-04-22
Candidate: CVE-2019-11455
PublicDate: 2019-04-22 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11455
 https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
 https://github.com/dzflack/exploits/blob/master/macos/monit_dos.py
 https://github.com/dzflack/exploits/blob/master/unix/monit_buffer_overread.py
 https://ubuntu.com/security/notices/USN-3971-1
Description:
 A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before
 5.25.3 allows a remote authenticated attacker to retrieve the contents of
 adjacent memory via manipulation of GET or POST parameters. The attacker
 can also cause a denial of service (application outage).
Ubuntu-Description:
 Zack Flack discovered a buffer overread when Monit decoded certain crafted
 URLs. An attacker could exploit this to leak potentially sensitive
 information.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927775
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H [8.1 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H [8.1 HIGH]


Patches_monit:
upstream_monit: needed
precise/esm_monit: DNE
trusty_monit: ignored (out of standard support)
trusty/esm_monit: needed
xenial_monit: ignored (end of standard support, was needed)
bionic_monit: needed
cosmic_monit: released (1:5.25.2-1ubuntu0.1)
disco_monit: released (1:5.25.2-3ubuntu0.1)
eoan_monit: ignored (reached end-of-life)
focal_monit: not-affected (1:5.25.3-1)
groovy_monit: not-affected (1:5.25.3-1)
hirsute_monit: not-affected (1:5.25.3-1)
impish_monit: not-affected (1:5.25.3-1)
jammy_monit: not-affected (1:5.25.3-1)
devel_monit: not-affected (1:5.25.3-1)