CVE-2023-49084

NameCVE-2023-49084
DescriptionCacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3765-1, DSA-5646-1
Debian Bugs1059254

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)buster1.2.2+ds1-2+deb10u4vulnerable
buster (security)1.2.2+ds1-2+deb10u6fixed
bullseye1.2.16+ds1-2+deb11u2vulnerable
bullseye (security)1.2.16+ds1-2+deb11u3fixed
bookworm1.2.24+ds1-1+deb12u1vulnerable
bookworm (security)1.2.24+ds1-1+deb12u2fixed
sid, trixie1.2.26+ds1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisourcebuster1.2.2+ds1-2+deb10u6DLA-3765-1
cactisourcebullseye1.2.16+ds1-2+deb11u3DSA-5646-1
cactisourcebookworm1.2.24+ds1-1+deb12u2DSA-5646-1
cactisource(unstable)1.2.26+ds1-11059254

Notes

https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 (release/1.2.26)
https://github.com/Cacti/cacti/commit/c3a647e9867ae8e2982e26342630ba9edb2d94b7 (release/1.2.26)
Mitigated in Debian by not shipping or creating 'include/content/'
Search for package or bug name: Reporting problems