Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 649
    • Issues 649
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 208
    • Merge Requests 208
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #10492

Closed
Open
Opened May 28, 2019 by Alicha CH@alichaReporter

[3.9] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)

CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c

Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript
via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.

References:

https://github.com/dzflack/exploits/blob/master/unix/monit\_xss.py
https://nvd.nist.gov/vuln/detail/CVE-2019-11454

Patches:

https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c

CVE-2019-11455: buffer over-read in function Util_urlDecode in util.c

A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the
contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service (application outage).

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-11455

Patch:

https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a

(from redmine: issue id 10492, created on 2019-05-28, closed on 2019-06-05)

  • Relations:
    • parent #10491 (closed)
  • Changesets:
    • Revision b3c4cba8 on 2019-06-05T13:39:23Z:
main/monit: security fixes (CVE-2019-11454, CVE-2019-11455)

Fixes #10492
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.9.5
Milestone
3.9.5
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#10492