CVE-2024-45754: 
Centreon vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in the centreon-bi-server component of Centreon BI Server, affecting versions 24.04.x before 24.04.3, 23.10.x before 23.10.8, 23.04.x before 23.04.11, and 22.10.x before 22.10.11. The vulnerability was discovered on July 31, 2024, and publicly disclosed on October 10, 2024 (Centreon Bulletin).

The vulnerability exists in the listing of configured reporting jobs functionality. It allows SQL injection attacks that can only be exploited by authenticated users with high-privileged access. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, the vulnerability could allow authenticated attackers with high privileges to execute arbitrary SQL commands through the reporting jobs listing functionality, potentially leading to unauthorized data access, modification, or deletion of database contents (Centreon Bulletin).

Centreon has released security updates to address this vulnerability. Users are recommended to upgrade to the following fixed versions: Centreon BI Server 24.04.3, Centreon BI Server 23.10.8, Centreon BI Server 23.04.11, or Centreon BI Server 22.10.11 (Centreon Bulletin).

The vulnerability was discovered and reported by security researchers Matthew Taylor, Ludovic Tavernier and Rémi Millerand from Algosecure (Centreon Bulletin).