Cyber Resilience

CVE-2024-32501

Critical

Published: 23 August 2024

Published
23 August 2024
Modified
09 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0438 89.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32501 is a critical-severity SQL Injection (CWE-89) vulnerability in Centreon Centreon Web. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A SQL Injection vulnerability tracked as CVE-2024-32501 affects the updateServiceHost functionality in Centreon Web versions 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. The flaw is classified under CWE-89 and carries a CVSS 3.1 base score of 9.8, reflecting a network-accessible attack with low complexity that requires no authentication or user interaction.

Unauthenticated remote attackers can supply crafted input to the affected function, enabling arbitrary SQL commands that may result in complete compromise of the confidentiality, integrity, and availability of the Centreon Web instance and its underlying data.

Vendor advisories hosted at centreon.com and thewatch.centreon.com direct administrators to apply the listed maintenance releases that contain the fix for the injection issue.

The associated EPSS score reached a modest peak of 0.0563 before receding to its current value of 0.0438.

EU & UK References

Vulnerability details

A SQL Injection vulnerability exists in the updateServiceHost functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

centreon
centreon web
22.10.0 — 22.10.23 · 23.04.0 — 23.04.19 · 23.10.0 — 23.10.13

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References