CVE-2009-4112

NameCVE-2009-4112
DescriptionCacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs561339

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)wheezy0.8.8a+dfsg-5+deb7u8vulnerable
wheezy (security)0.8.8a+dfsg-5+deb7u10vulnerable
jessie0.8.8b+dfsg-8+deb8u6vulnerable
jessie (security)0.8.8b+dfsg-8+deb8u4vulnerable
stretch0.8.8h+ds1-10vulnerable
buster, sid1.1.28+ds1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisource(unstable)(unfixed)unimportant561339

Notes

4B0E1566.1070509@moritz-naumann.com in bugtraq
as one requires admin access to cacti, upstream will implement a whitelist
https://github.com/Cacti/cacti/issues/1072

Search for package or bug name: Reporting problems