Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Security-Advisories/Mutiny/CVE-2018-15529/
Security-Advisories/Mutiny/CVE-2018-15529/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Title

Mutiny Monitoring Appliance < 6.1.0-5263 - Command Injection (CVE-2018-15529)

Product

Mutiny Monitoring Appliance
https://www.mutiny.com/

CVE

CVE-2018-15529

Credit

Reginald Dodd

Description

A command injection vulnerability in maintenance.cgi in Mutiny "Monitoring Appliance" before 6.1.0-5263 allows authenticated users, with access to the admin interface, to inject arbitrary commands within the filename of a system upgrade upload.

Version Tested

Version 6.1.0-5191 was tested and is vulnerable.

Solution

Upgrade to v6.1.0-5263.

Reference

https://www.mutiny.com/mutiny-support/previous-releases/ (Under the "Patches/Bugs Fixed" section)
https://doddsecurity.com/135/remote-command-execution-on-the-monitoring-appliances/

Timeline

August 12, 2018 - A detailed report and exploit was sent to the vendor.
August 13, 2018 - The vendor released a patch (version 6.1.0-5263).
August 19, 2018 - Mitre assigned a CVE.