FixVibe
Covered by FixVibecritical

Piki kòmand OS kritik nan LibreNMS (CVE-2024-51092) ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG1 Vèsyon LibreNMS <= 24.9.1 yo vilnerab a enjeksyon kòmand OS otantifye (CVE-2024-51092). ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG2 Vèsyon LibreNMS jiska 24.9.1 genyen yon vilnerabilite piki kòmand OS kritik (CVE-2024-51092). Atakè otantifye ka egzekite kòmandman abitrè sou sistèm lame a, ki kapab mennen nan konpwomi total nan enfrastrikti siveyans la. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG3 ## Enpak ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG4 Vèsyon LibreNMS 24.9.1 ak pi bonè genyen yon vilnerabilite ki pèmèt itilizatè otantifye yo fè piki OS kòmand CVE-2024-51092. Eksplwatasyon siksè pèmèt ekzekisyon kòmandman abitrè ak privilèj itilizatè sèvè entènèt ZXCVFIXVIBETOKEN1ZXCV. Sa ka mennen nan konpwomi sistèm konplè, aksè san otorizasyon nan done siveyans sansib, ak potansyèl mouvman lateral nan enfrastrikti rezo a jere pa LibreNMS ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG5 ## Kòz Rasin ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG6 Vilnerabilite a anrasinen nan netralizasyon move nan opinyon itilizatè-apwovizyone anvan li enkòpore nan yon kòmand sistèm opere CVE-2024-51092. Defo sa a klase kòm ZXCVFIXVIBETOKEN3ZXCV ZXCVFIXVIBETOKEN1ZXCV. Nan vèsyon ki afekte yo, pwen final espesifik otantifye yo pa rive byen valide oswa dezenfekte paramèt yo anvan yo pase yo nan fonksyon ekzekisyon nan nivo sistèm ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG7 ## Ratrapaj ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG8 Itilizatè yo ta dwe ajou enstalasyon LibreNMS yo nan vèsyon 24.10.0 oswa pita pou rezoud pwoblèm sa a CVE-2024-51092. Kòm yon pi bon pratik sekirite jeneral, aksè nan koòdone administratif LibreNMS la ta dwe limite a segman rezo ou fè konfyans lè l sèvi avèk firewall oswa lis kontwòl aksè (ACLs) ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG9 ## Kijan CVE-2024-51092 teste pou li ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG10 ZXCVFIXVIBETOKEN4ZXCV kounye a gen ladan sa a nan ZXCVFIXVIBETOKEN5ZXCV analiz repo. Chèk la li dosye depandans depo otorize sèlman, ki gen ladan CVE-2024-51092 ak ZXCVFIXVIBETOKEN1ZXCV. Li make ZXCVFIXVIBETOKEN2ZXCV vèsyon fèmen oswa kontrent ki koresponn ak seri ki afekte ZXCVFIXVIBETOKEN3ZXCV, Lè sa a, rapòte dosye depandans la, nimewo liy, idantite konsiltatif, seri ki afekte ak vèsyon fiks yo. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG11 Sa a se yon chèk repo estatik pou lekti sèlman. Li pa egzekite kòd kliyan epi li pa voye eksplwate chaj.

LibreNMS versions up to 24.9.1 contain a critical OS command injection vulnerability (CVE-2024-51092). Authenticated attackers can execute arbitrary commands on the host system, potentially leading to total compromise of the monitoring infrastructure.

CVE-2024-51092GHSA-x645-6pf9-xwxwCWE-78

Impact

LibreNMS versions 24.9.1 and earlier contain a vulnerability that allows authenticated users to perform OS command injection [S2]. Successful exploitation enables the execution of arbitrary commands with the privileges of the web server user [S1]. This can lead to full system compromise, unauthorized access to sensitive monitoring data, and potential lateral movement within the network infrastructure managed by LibreNMS [S2].

Root Cause

The vulnerability is rooted in the improper neutralization of user-supplied input before it is incorporated into an operating system command [S1]. This flaw is classified as CWE-78 [S1]. In affected versions, specific authenticated endpoints fail to adequately validate or sanitize parameters before passing them to system-level execution functions [S2].

Remediation

Users should upgrade their LibreNMS installation to version 24.10.0 or later to resolve this issue [S2]. As a general security best practice, access to the LibreNMS administrative interface should be restricted to trusted network segments using firewalls or access control lists (ACLs) [S1].

How FixVibe tests for it

FixVibe now includes this in GitHub repo scans. The check reads authorized repository dependency files only, including composer.lock and composer.json. It flags librenms/librenms locked versions or constraints that match the affected range <=24.9.1, then reports the dependency file, line number, advisory IDs, affected range, and fixed version.

This is a static, read-only repo check. It does not execute customer code and does not send exploit payloads.