Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- Cacti is an open source operational monitoring and fault management framework. Affected versions are
subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php
without authentication by default, if guest users are being utilized in an enabled state, there could be
the potential for significant damage. Attackers may exploit this vulnerability, and there may be
possibilities for actions such as the usurpation of administrative privileges or remote code execution.
This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known
workarounds for this vulnerability. (CVE-2023-39361)
- Cacti is an open source operational monitoring and fault management framework. There are two instances of
insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor
directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure
deserializations not exploitable. Each instance of insecure deserialization is due to using the
unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts
to sanitize the content and check for specific values before calling unserialize, but it isn’t used in
these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save
function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no
known workarounds for this vulnerability. (CVE-2023-30534)
- Cacti is an open source operational monitoring and fault management framework. A defect in the sql_save
function was discovered. When the column type is numeric, the sql_save function directly utilizes user
input. Many files and functions calling the sql_save function do not perform prior validation of user
input, leading to the existence of multiple SQL injection vulnerabilities in Cacti. This allows
authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and
remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade.
There are no known workarounds for this vulnerability. (CVE-2023-39357)
- Cacti is an open source operational monitoring and fault management framework. An authenticated SQL
injection vulnerability was discovered which allows authenticated users to perform privilege escalation
and remote code execution. The vulnerability resides in the `reports_user.php` file. In
`ajax_get_branches`, the `tree_id` parameter is passed to the `reports_get_branch_select` function without
any validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are
no known workarounds for this vulnerability. (CVE-2023-39358)
- Cacti is an open source operational monitoring and fault management framework. An authenticated SQL
injection vulnerability was discovered which allows authenticated users to perform privilege escalation
and remote code execution. The vulnerability resides in the `graphs.php` file. When dealing with the cases
of ajax_hosts and ajax_hosts_noany, if the `site_id` parameter is greater than 0, it is directly reflected
in the WHERE clause of the SQL statement. This creates an SQL injection vulnerability. This issue has been
addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this
vulnerability. (CVE-2023-39359)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 9/5/2023
Reference Information
CVE: CVE-2023-30534, CVE-2023-39357, CVE-2023-39358, CVE-2023-39359, CVE-2023-39360, CVE-2023-39361, CVE-2023-39362, CVE-2023-39364, CVE-2023-39365, CVE-2023-39366, CVE-2023-39510, CVE-2023-39511, CVE-2023-39512, CVE-2023-39513, CVE-2023-39514, CVE-2023-39515, CVE-2023-39516, CVE-2023-49088