Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474.
2025-10-07T20:15:35.277
2025-11-06T16:40:35.863
Analyzed
CVSSv3.1: 8.5 (HIGH)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | nagios | log_server | < 2024 | Yes |
| Application | nagios | log_server | 2024 | Yes |
| Application | nagios | log_server | 2024 | Yes |
| Application | nagios | log_server | 2024 | Yes |
| Application | nagios | log_server | 2024 | Yes |
| Application | nagios | log_server | 2024 | Yes |
| Application | nagios | log_server | 2024 | Yes |
| Application | nagios | log_server | 2024 | Yes |