CVE-2019-17358

NameCVE-2019-17358
DescriptionCacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2032-1, DSA-4604-1
Debian Bugs947375

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)buster1.2.2+ds1-2+deb10u4fixed
buster (security)1.2.2+ds1-2+deb10u5fixed
bullseye (security), bullseye1.2.16+ds1-2+deb11u1fixed
bookworm, sid1.2.24+ds1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisourcejessie0.8.8b+dfsg-8+deb8u8DLA-2032-1
cactisourcestretch0.8.8h+ds1-10+deb9u1DSA-4604-1
cactisourcebuster1.2.2+ds1-2+deb10u2DSA-4604-1
cactisource(unstable)1.2.8+ds1-1947375

Notes

https://github.com/Cacti/cacti/issues/3026
https://github.com/Cacti/cacti/commit/adf221344359f5b02b8aed43dfb6b33ae5d708c8
Search for package or bug name: Reporting problems