SQL Injection Vulnerability in LibreNMS Allows Attacker to Extract Sensitive Data
CVE-2024-32461

8.8HIGH

Key Information:

Vendor: Librenms
Status: Librenms
Vendor: CVE Published:; 22 April 2024

What is CVE-2024-32461?

A significant SQL injection vulnerability exists in the LibreNMS network monitoring system, affecting versions prior to 24.4.0. Through a flaw in the handling of POST requests sent to /search/search=packages, users possessing global read privileges can manipulate the package parameter to execute arbitrary SQL commands. This potential exploitation could lead to unauthorised access to sensitive database information, including critical administrator credentials. Users are advised to update to version 24.4.0 or later to mitigate this risk.

Affected Version(s)

librenms < 24.4.0

References

https://github.com/librenms/librenms/security/advisories/...

x_refsource_CONFIRM

https://github.com/librenms/librenms/commit/d29201fce1343...

x_refsource_MISC

https://doc.clickup.com/9013166444/p/h/8ckm0bc-53/1681199...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 22, 2024
Vulnerability Reserved
Apr 12, 2024

Librenms

What is CVE-2024-32461?

Affected Version(s)

References

CVSS V3.1

Timeline