Candidate: CVE-2020-13977
PublicDate: 2020-06-09 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13977
 https://anhtai.me/nagios-core-4-4-5-url-injection/
 https://github.com/sawolf/nagioscore/tree/url-injection-fix
 https://www.nagios.org/projects/nagios-core/history/4x/
Description:
 Nagios 4.4.5 allows an attacker, who already has administrative access to
 change the "URL for JSON CGIs" configuration setting, to modify the Alert
 Histogram and Trends code via crafted versions of the archivejson.cgi,
 objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been
 mistakenly associated with CVE-2020-1408.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N [4.9 MEDIUM]


Patches_nagios4:
upstream_nagios4: needs-triage
precise/esm_nagios4: DNE
trusty_nagios4: ignored (out of standard support)
trusty/esm_nagios4: DNE
xenial_nagios4: DNE
bionic_nagios4: DNE
eoan_nagios4: ignored (reached end-of-life)
focal_nagios4: needs-triage
groovy_nagios4: not-affected (4.3.4-4)
hirsute_nagios4: not-affected (4.3.4-4)
impish_nagios4: not-affected (4.3.4-4)
jammy_nagios4: not-affected (4.3.4-4)
devel_nagios4: not-affected (4.3.4-4)