[3.8] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)
CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthenticated attacker to
introduce arbitrary JavaScript
via manipulation of an unsanitized user field of the Authorization
header for HTTP Basic Authentication, which is mishandled during an
_viewlog operation.
References:
https://github.com/dzflack/exploits/blob/master/unix/monit\_xss.py
https://nvd.nist.gov/vuln/detail/CVE-2019-11454
Patches:
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
CVE-2019-11455: buffer over-read in function Util_urlDecode in util.c
A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit
before 5.25.3 allows a remote authenticated attacker to retrieve the
contents of adjacent memory via manipulation of GET or POST parameters.
The attacker can also cause a denial of service (application outage).
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11455
Patch:
https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
(from redmine: issue id 10493, created on 2019-05-28, closed on 2019-06-05)
- Relations:
- parent #10491 (closed)
- Changesets:
- Revision 8ae19acb on 2019-06-05T13:42:06Z:
main/monit: upgrade to 5.25.2, security fixes
CVE-2019-11454, CVE-2019-11455
Fixes #10493