CVE-2012-2104
Published: 26 August 2012
cgi-bin/munin-cgi-graph in Munin 2.x writes data to a log file without sanitizing non-printable characters, which might allow user-assisted remote attackers to inject terminal emulator escape sequences and execute arbitrary commands or delete arbitrary files via a crafted HTTP request.
Notes
Author | Note |
---|---|
mdeslaur | reproducer in debian bug Doesn't seem to log in 1.x, not vulnerable |
Priority
Status
Package | Release | Status |
---|---|---|
munin Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Not vulnerable
|
|
natty |
Not vulnerable
|
|
oneiric |
Not vulnerable
|
|
precise |
Not vulnerable
|
|
upstream |
Released
(2.0~rc6-1)
|
|
Patches: upstream: http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git;a=commit;h=c3fa936aa88bb983a8553d75726825bf2a3ffa05 upstream: http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git;a=commit;h=e0cd8035485caf433311c194d3025864dd7809d2 upstream: http://anonscm.debian.org/gitweb/?p=collab-maint/munin.git;a=commit;h=1206e57bc4e8c0ffbaf23e3f0922abcb49ae8ae2 |