Monitoring software Centreon patches multiple SQL Injection flaws

Centreon, a widely used open-source monitoring tool has issued a security advisory addressing multiple critical SQL injection vulnerabilities in its Web interface. These vulnerabilities can lead to unauthorized database manipulation and potential system compromise.

The identified vulnerabilities include:

• CVE-2024-32501 (CVSS score 9.1): A SQL injection vulnerability in the updateServiceHost function.
• CVE-2024-33852 (CVSS score 9.1): A critical SQL injection vulnerability in the Downtime component that allows attackers to manipulate the database and extract sensitive information.
• CVE-2024-33853 (CVSS score 9.1): A critical SQL injection flaw in the Timeperiod component, which could be exploited to compromise the database.
• CVE-2024-33854 (CVSS score 9.1): A SQL injection vulnerability in the Graph Template component, posing a serious risk to data integrity.
• CVE-2024-5725 (CVSS score 8.8): A SQL injection flaw in the Metric Image component, enabling unauthorized database access.
• CVE-2024-39841 (CVSS score 8.8): A SQL injection vulnerability via service configuration, potentially allowing attackers to gain control over the Centreon Web system.

All on-premise versions of Centreon Web are susceptible to these vulnerabilities. If left unpatched, attackers could exploit these flaws to corrupt databases, access confidential information, or disrupt entire systems.

Centreon has released updates for all supported versions of Centreon Web that address these vulnerabilities. Users should immediately upgrade to the following fixed versions:

• Centreon Web 24.04.3
• Centreon Web 23.10.13
• Centreon Web 23.04.19
• Centreon Web 22.10.23

For those using unsupported versions, upgrading to version 24.04 is strongly recommended to ensure security. The vulnerabilities have already been patched on the Centreon Cloud platforms.