CVE-2017-6188 Munin Monitoring CVE debrief

Who should care

Administrators of Munin deployments, especially systems with CGI graphs enabled and any service account or web-accessible paths writable by www-data. Debian and Gentoo package maintainers or operators relying on distro packages should also verify whether they have received a backport.

Technical summary

NVD classifies the issue as CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N with CWE-20. The CVE description says Munin before 2.999.6 is vulnerable when CGI graphs are enabled; multiple upper_limit GET parameters can overwrite files accessible to the www-data user. NVD's affected CPE criteria also enumerate Munin version ranges that should be checked against vendor packaging and backports.

Defensive priority

Medium. Prioritize exposed or internet-reachable Munin instances and any host where CGI graphs are enabled, because the impact is integrity-focused file overwrite under the web user account.

Recommended defensive actions

• Upgrade Munin to a fixed release at or above 2.999.6, or install the vendor/distribution package that includes the backported fix.
• Disable CGI graphs if they are not required.
• Limit access to Munin CGI endpoints to trusted administrators or management networks.
• Reduce the permissions of the www-data account and verify it cannot write to sensitive application, configuration, or script paths.
• Review logs and file-integrity monitoring for unexpected overwrites or unusual requests involving upper_limit parameters.

Evidence notes

The supplied CVE description states the bug exists in Munin before 2.999.6 and is triggered when CGI graphs are enabled. The NVD record lists CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N and CWE-20, and links issue-tracking/advisory sources including GitHub issue 721, Debian bug 855705, Gentoo GLSA 201710-05, Debian DSA-3794, and SecurityFocus BID 96399. The NVD metadata was modified on 2026-05-13, but the CVE publication date remains 2017-02-22.

Official resources