Alpine: multiple cacti packages: security update to 1.2.26-r0

critical Tenable Cloud Security Plugin ID 408249

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Cacti is an open source operational monitoring and fault management framework. Affected versions are
subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php
without authentication by default, if guest users are being utilized in an enabled state, there could be
the potential for significant damage. Attackers may exploit this vulnerability, and there may be
possibilities for actions such as the usurpation of administrative privileges or remote code execution.
This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known
workarounds for this vulnerability. (CVE-2023-39361)

- Cacti is an open source operational monitoring and fault management framework. There are two instances of
insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor
directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure
deserializations not exploitable. Each instance of insecure deserialization is due to using the
unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts
to sanitize the content and check for specific values before calling unserialize, but it isn’t used in
these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save
function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no
known workarounds for this vulnerability. (CVE-2023-30534)

- Cacti is an open source operational monitoring and fault management framework. A defect in the sql_save
function was discovered. When the column type is numeric, the sql_save function directly utilizes user
input. Many files and functions calling the sql_save function do not perform prior validation of user
input, leading to the existence of multiple SQL injection vulnerabilities in Cacti. This allows
authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and
remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade.
There are no known workarounds for this vulnerability. (CVE-2023-39357)

- Cacti is an open source operational monitoring and fault management framework. An authenticated SQL
injection vulnerability was discovered which allows authenticated users to perform privilege escalation
and remote code execution. The vulnerability resides in the `reports_user.php` file. In
`ajax_get_branches`, the `tree_id` parameter is passed to the `reports_get_branch_select` function without
any validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are
no known workarounds for this vulnerability. (CVE-2023-39358)

- Cacti is an open source operational monitoring and fault management framework. An authenticated SQL
injection vulnerability was discovered which allows authenticated users to perform privilege escalation
and remote code execution. The vulnerability resides in the `graphs.php` file. When dealing with the cases
of ajax_hosts and ajax_hosts_noany, if the `site_id` parameter is greater than 0, it is directly reflected
in the WHERE clause of the SQL statement. This creates an SQL injection vulnerability. This issue has been
addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this
vulnerability. (CVE-2023-39359)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-30534

https://security.alpinelinux.org/vuln/CVE-2023-39357

https://security.alpinelinux.org/vuln/CVE-2023-39358

https://security.alpinelinux.org/vuln/CVE-2023-39359

https://security.alpinelinux.org/vuln/CVE-2023-39360

https://security.alpinelinux.org/vuln/CVE-2023-39361

https://security.alpinelinux.org/vuln/CVE-2023-39362

https://security.alpinelinux.org/vuln/CVE-2023-39364

https://security.alpinelinux.org/vuln/CVE-2023-39365

https://security.alpinelinux.org/vuln/CVE-2023-39366

https://security.alpinelinux.org/vuln/CVE-2023-39510

https://security.alpinelinux.org/vuln/CVE-2023-39511

https://security.alpinelinux.org/vuln/CVE-2023-39512

https://security.alpinelinux.org/vuln/CVE-2023-39513

https://security.alpinelinux.org/vuln/CVE-2023-39514

https://security.alpinelinux.org/vuln/CVE-2023-39515

https://security.alpinelinux.org/vuln/CVE-2023-39516

https://security.alpinelinux.org/vuln/CVE-2023-46490

https://security.alpinelinux.org/vuln/CVE-2023-49084

https://security.alpinelinux.org/vuln/CVE-2023-49085

https://security.alpinelinux.org/vuln/CVE-2023-49086

https://security.alpinelinux.org/vuln/CVE-2023-49088

https://security.alpinelinux.org/vuln/CVE-2023-50250

https://security.alpinelinux.org/vuln/CVE-2023-50569

https://security.alpinelinux.org/vuln/CVE-2023-51448

Plugin Details

Severity: Critical

ID: 408249

Version: Revision 1.16

Type: Local

Published: 1/22/2024

Updated: 6/1/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.54

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-39361

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/5/2023

Exploitable With

Metasploit (Cacti RCE via SQLi in pollers.php)

Reference Information

CVE: CVE-2023-30534, CVE-2023-39357, CVE-2023-39358, CVE-2023-39359, CVE-2023-39360, CVE-2023-39361, CVE-2023-39362, CVE-2023-39364, CVE-2023-39365, CVE-2023-39366, CVE-2023-39510, CVE-2023-39511, CVE-2023-39512, CVE-2023-39513, CVE-2023-39514, CVE-2023-39515, CVE-2023-39516, CVE-2023-46490, CVE-2023-49084, CVE-2023-49085, CVE-2023-49086, CVE-2023-49088, CVE-2023-50250, CVE-2023-51448