This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Centreon Web has a **SQL Injection** flaw in the **Virtual Metrics** creation form.β¦
π‘οΈ **Root Cause**: **SQL Injection** (SQLi). The vulnerability stems from insufficient input validation in the form used to create virtual metrics, allowing attackers to manipulate backend database queries.β¦
π **Attacker Capabilities**: With **High Privileges**, hackers can execute arbitrary SQL commands. π **Impact**: Full **Confidentiality**, **Integrity**, and **Availability** loss.β¦
π΅οΈ **Public Exploit**: **No**. The `pocs` field is empty. π **References**: Official release notes and security bulletins are available, but no public PoC or wild exploitation code is listed in the data.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: 1. Check your Centreon version against the affected list. 2. Audit access to the **Virtual Metrics** creation form. 3. Monitor logs for unusual SQL syntax in metric creation requests.β¦
β **Official Fix**: **Yes**. Updates are available in the latest releases (e.g., 24.10.3, 24.04.9, etc.). π₯ **Action**: Upgrade immediately to the patched versions listed in the references.
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: 1. **Restrict Access**: Limit high-privilege users who can create virtual metrics. 2.β¦
β‘ **Urgency**: **HIGH**. Despite requiring high privileges, the impact is **Critical** (CVSS: 9.8). π― **Priority**: Patch immediately. The damage potential (full DB control) outweighs the access requirement.β¦