Name | CVE-2014-2709 |
Description | lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more) |
References | DSA-2970-1 |
NVD severity | high |
Debian Bugs | 743565 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
cacti (PTS) | stretch (security), stretch | 0.8.8h+ds1-10+deb9u1 | fixed |
buster | 1.2.2+ds1-2+deb10u4 | fixed | |
buster (security) | 1.2.2+ds1-2+deb10u2 | fixed | |
bullseye, sid | 1.2.16+ds1-2 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
cacti | source | squeeze | 0.8.7g-1+squeeze4 | 743565 | ||
cacti | source | wheezy | 0.8.8a+dfsg-5+deb7u3 | DSA-2970-1 | ||
cacti | source | (unstable) | 0.8.8b+dfsg-4 | 743565 |
http://bugs.cacti.net/view.php?id=2405 (not yet public)
http://svn.cacti.net/viewvc?view=rev&revision=7439
CVE for all changes to lib/rrd.php to add cacti_escapeshellarg calls