Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

cacti: CVE-2019-16723

Related Vulnerabilities: CVE-2019-16723  

Source

Debian Bug report logs - #941036
cacti: CVE-2019-16723

version graph

Package: src:cacti; Maintainer for src:cacti is Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 23 Sep 2019 20:21:02 UTC

Severity: important

Tags: security, upstream

Found in version cacti/1.2.6+ds1-2

Forwarded to https://github.com/Cacti/cacti/issues/2964

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#941036; Package src:cacti. (Mon, 23 Sep 2019 20:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Mon, 23 Sep 2019 20:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cacti: CVE-2019-16723
Date: Mon, 23 Sep 2019 22:20:27 +0200
Source: cacti
Version: 1.2.6+ds1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/Cacti/cacti/issues/2964

Hi,

The following vulnerability was published for cacti, filling for
tracking the upstream issue. At time of writing, I think there was not
a patch upstream yet.

CVE-2019-16723[0]:
| In Cacti through 1.2.6, authenticated users may bypass authorization
| checks (for viewing a graph) via a direct graph_json.php request with
| a modified local_graph_id parameter.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-16723
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16723
[1] https://github.com/Cacti/cacti/issues/2964

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#941036; Package src:cacti. (Mon, 23 Sep 2019 20:33:09 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Gevers <elbrus@debian.org>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Mon, 23 Sep 2019 20:33:09 GMT) (full text, mbox, link).

Message #10 received at 941036@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 941036@bugs.debian.org
Subject: Re: Bug#941036: cacti: CVE-2019-16723
Date: Mon, 23 Sep 2019 22:28:31 +0200
[Message part 1 (text/plain, inline)]
Hi Salvatore,

Thanks for your report.

On 23-09-2019 22:20, Salvatore Bonaccorso wrote:
> The following vulnerability was published for cacti, filling for
> tracking the upstream issue. At time of writing, I think there was not
> a patch upstream yet.

I think there is:
https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264

It mentioned the wrong issue, as documented here:
https://github.com/Cacti/cacti/commit/de3833b0414383efc9e075dd13c95925e2ca504c

Paul


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#941036; Package src:cacti. (Tue, 24 Sep 2019 04:03:07 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Tue, 24 Sep 2019 04:03:07 GMT) (full text, mbox, link).

Message #15 received at 941036@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Paul Gevers <elbrus@debian.org>
Cc: 941036@bugs.debian.org
Subject: Re: Bug#941036: cacti: CVE-2019-16723
Date: Tue, 24 Sep 2019 05:58:19 +0200
Hi Paul,

On Mon, Sep 23, 2019 at 10:28:31PM +0200, Paul Gevers wrote:
> Hi Salvatore,
> 
> Thanks for your report.
> 
> On 23-09-2019 22:20, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for cacti, filling for
> > tracking the upstream issue. At time of writing, I think there was not
> > a patch upstream yet.
> 
> I think there is:
> https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264
> 
> It mentioned the wrong issue, as documented here:
> https://github.com/Cacti/cacti/commit/de3833b0414383efc9e075dd13c95925e2ca504c

"Ack", thank you!

Regards,
Salvatore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Sep 24 16:46:00 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started