Miggo Logo
Miggo Vulnerability Database
CVE-2019-17106

CVE-2019-17106:
Centreon Sensitive Data Exposure

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-17106
GHSA ID
GHSA-rx4j-x3fh-9qwg
EPSS Score
0.34088%
CWE
CWE-312
Published
5/24/2022
Updated
10/4/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
centreon/centreoncomposer<= 2.8.292.8.30

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of password-type macros in host/service configuration forms. The pull request #9311 specifically modifies these functions to fix password exposure by adding placeholder handling and preventing cleartext storage. The issue #7098 explicitly references cleartext password exposure in server responses, which aligns with the CWE-312 classification. The functions in DB-Func.php were directly modified in the patch to address password masking, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **ntr*on W** t*rou** *.*.**, *is*losur* o* *xt*rn*l *ompon*nts' p*sswor*s *llows *ut**nti**t** *tt**k*rs to mov* l*t*r*lly to *xt*rn*l *ompon*nts.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* p*sswor*-typ* m**ros in *ost/s*rvi** *on*i*ur*tion *orms. T** pull r*qu*st #**** sp**i*i**lly mo*i*i*s t**s* `*un*tions` to *ix p*sswor* *xposur* *y ***in* pl****ol**r **n*lin* *n* pr*v*ntin* *l**rt*x