Debian Bug report logs -
#1059254
cacti: CVE-2023-49084 CVE-2023-49086
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#1059254; Package src:cacti.
(Fri, 22 Dec 2023 08:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Fri, 22 Dec 2023 08:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for cacti.
CVE-2023-49084[0]:
| Cacti is a robust performance and fault management framework and a
| frontend to RRDTool - a Time Series Database (TSDB). While using the
| detected SQL Injection and insufficient processing of the include
| file path, it is possible to execute arbitrary code on the server.
| Exploitation of the vulnerability is possible for an authorized
| user. The vulnerable component is the `link.php`. Impact of the
| vulnerability execution of arbitrary code on the server.
https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc
CVE-2023-49086[1]:
| Cacti is a robust performance and fault management framework and a
| frontend to RRDTool - a Time Series Database (TSDB). Bypassing an
| earlier fix (CVE-2023-39360) that leads to a DOM XSS attack.
| Exploitation of the vulnerability is possible for an authorized
| user. The vulnerable component is the `graphs_new.php`. Impact of
| the vulnerability - execution of arbitrary javascript code in the
| attacked user's browser. This issue has been patched in version
| 1.2.26.
https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr
I think https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc
should address both, but please doublecheck.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-49084
https://www.cve.org/CVERecord?id=CVE-2023-49084
[1] https://security-tracker.debian.org/tracker/CVE-2023-49086
https://www.cve.org/CVERecord?id=CVE-2023-49086
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Dec 2023 20:09:02 GMT) (full text, mbox, link).
Marked as found in versions cacti/1.2.25+ds1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Dec 2023 20:09:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Dec 23 08:19:08 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon