Nagios XI Command Injection Vulnerability in Docker Wizard Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in Nagios XI versions prior to 2024R1.2, specifically within the Docker Wizard. This vulnerability arises from inadequate validation of user input, which allows authenticated administrators to inject shell metacharacters. These injected characters are then executed as commands on the server, with the same privileges as the Nagios XI web application user. This exploitation could lead to unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the privileges of the Nagios XI web application user.

Reproduction

To reproduce this vulnerability, an authenticated administrator can navigate to the Docker Wizard in Nagios XI. Once there, they can inject shell metacharacters into user input fields. After submitting the input, the injected commands will be executed on the server, demonstrating the command injection vulnerability.

Remediation

Users can upgrade to Nagios XI version 2024R1.2 or later, where this vulnerability has been fixed.