CVE-2024-55573

Critical

Published: 23 January 2025

Published

23 January 2025

Modified

06 June 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0015 34.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Centreon centreon-web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before 23.04.24. A user with high privileges is able to inject SQL into the form used to create virtual metrics.

Security Summary

CVE-2024-55573 is a SQL injection vulnerability (CWE-89) discovered in Centreon centreon-web, affecting versions 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, and 23.04.x before 23.04.24. The flaw exists in the form used to create virtual metrics, where insufficient input validation allows malicious SQL payloads to be injected.

A high-privileged user (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation results in high impacts to confidentiality, integrity, and availability (C:I:A:H), with a changed scope (S:C), earning a CVSS v3.1 base score of 9.1.

Advisories recommend updating to the fixed versions: 24.10.3, 24.04.9, 23.10.19, or 23.04.24. Additional details on patches and mitigations are available in the Centreon security bulletin at https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55573-centreon-web-critical-severity-4264 and GitHub releases at https://github.com/centreon/centreon/releases.

Details

CWE(s): CWE-89

Affected Products

centreon

centreon web

23.04.0 — 23.04.24 · 23.10.0 — 23.10.19 · 24.04.0 — 24.04.9

References

https://github.com/centreon/centreon/releases
Release Notes · cve@mitre.org
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55573-centreon-web-critical-severity-4264
Vendor Advisory · cve@mitre.org