CVE-2024-39843: 
Centreon vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in Centreon 24.04.2, identified as CVE-2024-39843. The vulnerability allows remote high-privileged attackers to execute arbitrary SQL commands through the create user form inputs. This security issue was initially reported by Trend Micro Security Research and was publicly disclosed in September 2024 (ZDI, NVD).

The vulnerability exists within the create user form functionality of Centreon Web. The specific flaw stems from improper validation of user-supplied strings before their use in SQL query construction. The vulnerability has received a CVSS v3.1 base score of 6.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L, indicating that while the attack requires high privileges, it can be executed remotely with low attack complexity (CISA-ADP).

When successfully exploited, this vulnerability can lead to unauthorized access to sensitive data and potential manipulation of the database. The impact is particularly significant as it affects the user management system, potentially compromising the integrity of user authentication and authorization mechanisms (Centreon Security Bulletin).

Centreon has released security updates to address this vulnerability. Users are strongly recommended to upgrade to the latest patched versions of Centreon Web, which include version 24.04.6, 23.10.16, 23.04.21, or 22.10.24. These updates contain cumulative fixes for this and other security issues (Centreon Security Bulletin).