CVE-2014-5340 : The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which all

The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL.

Published 2014-09-02 14:55:04

Updated 2018-10-09 19:50:09

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2014-5340

Probability of exploitation activity in the next 30 days: 5.48%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 92 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-5340

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2014-5340

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-5340

http://www.securityfocus.com/archive/1/533180/100/0/threaded

SecurityFocus

CVEs referencing this url
http://mathias-kettner.de/check_mk_werks.php?werk_id=984

Fix code injection for logged in users via automation url (Werk #0984) | checkmk
Patch;Vendor Advisory
http://packetstormsecurity.com/files/127941/Deutsche-Telekom-CERT-Advisory-DTC-A-20140820-001.html

Deutsche Telekom CERT Advisory DTC-A-20140820-001 ≈ Packet Storm

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-1495.html

RHSA-2015:1495 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url

Products affected by CVE-2014-5340

Check Mk Project » Check Mk » Update P3
Versions up to, including, (<=) 1.2.4
cpe:2.3:a:check_mk_project:check_mk:*:p3:*:*:*:*:*:*
Matching versions
Check Mk Project » Check Mk » Version: 1.2.4 Update P2
cpe:2.3:a:check_mk_project:check_mk:1.2.4:p2:*:*:*:*:*:*
Matching versions
Check Mk Project » Check Mk » Version: 1.2.4 Update P1
cpe:2.3:a:check_mk_project:check_mk:1.2.4:p1:*:*:*:*:*:*
Matching versions
Check Mk Project » Check Mk » Version: 1.2.5 Update I1
cpe:2.3:a:check_mk_project:check_mk:1.2.5:i1:*:*:*:*:*:*
Matching versions
Check Mk Project » Check Mk » Version: 1.2.5 Update I3
cpe:2.3:a:check_mk_project:check_mk:1.2.5:i3:*:*:*:*:*:*
Matching versions
Check Mk Project » Check Mk » Version: 1.2.5 Update I2
cpe:2.3:a:check_mk_project:check_mk:1.2.5:i2:*:*:*:*:*:*
Matching versions
Check Mk Project » Check Mk » Version: 1.2.4
cpe:2.3:a:check_mk_project:check_mk:1.2.4:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-5340

Exploit prediction scoring system (EPSS) score for CVE-2014-5340

CVSS scores for CVE-2014-5340

CWE ids for CVE-2014-5340

References for CVE-2014-5340

Products affected by CVE-2014-5340