Bug 1215024

Summary: VUL-0: cacti: multiple security issues fixed in 1.2.25
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Andreas Stieger <Andreas.Stieger>
Status: RESOLVED MOVED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: cathy.hu
Version: Leap 15.5   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1215039, 1215040, 1215042, 1215043, 1215044, 1215045, 1215047, 1215050, 1215051, 1215052, 1215053, 1215054, 1215055, 1215056, 1215058, 1215059, 1215081, 1215082    
Bug Blocks:    

Description Andreas Stieger 2023-09-06 06:06:22 UTC 
From https://github.com/Cacti/cacti/blob/release/1.2.25/CHANGELOG

-security#GHSA-77rf-774j-6h3p: Protect against Insecure deserialization of filter data
-security#GHSA-gx8c-xvjh-9qh4: Protect against Cross-Site Scripting vulnerability when creating new graphs
-security#GHSA-6r43-q2fw-5wrg: Protect against Unauthenticated SQL Injection when viewing graphs
-security#GHSA-6jhp-mgqg-fhqg: Protect against SQL Injection when saving data with sql_save()
-security#GHSA-g6ff-58cj-x3cp: Protect against Authenticated command injection when using SNMP options
-security#GHSA-q4wh-3f9w-836h: Protect against Authenticated SQL injection vulnerability when managing graphs
-security#GHSA-gj95-7xr8-9p7g: Protect against Authenticated SQL injection vulnerability when managing reports
-security#GHSA-v5w7-hww7-2f22: Protect against SQL Injection when using regular expressions
-security#GHSA-4pjv-rmrp-r59x: Protect against Open redirect in change password functionality
-security#GHSA-rwhh-xxm6-vcrv: Protect against Cross-Site Scripting vulnerability with Device Name when managing Data Sources
-security#GHSA-24w4-4hp2-3j8h: Protect against Cross-Site Scripting vulnerability with Device Name when administrating Reports
-security#GHSA-5hpr-4hhc-8q42: Protect against Cross-Site Scripting vulnerability with Device Name when editing Graphs whilst managing Reports
-security#GHSA-vqcc-5v63-g9q7: Protect against Cross-Site Scripting vulnerability with Device Name when managing Data Sources
-security#GHSA-9fj7-8f2j-2rw2: Protect against Cross-Site Scripting vulnerability with Device Name when debugging data queries
-security#GHSA-6hrc-2cfc-8hm7: Protect against Cross-Site Scripting vulnerability with Data Source Name when managing Graphs
-security#GHSA-hrg9-qqqx-wc4h: Protect against Cross-Site Scripting vulnerability with Data Source Name when debugging Data Queries
-security#GHSA-r8qq-88g3-hmgv: Protect against Cross-Site Scripting vulnerability with Data Source Information when managing Data Sources


https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p
https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4
https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg
https://github.com/Cacti/cacti/security/advisories/GHSA-6jhp-mgqg-fhqg
https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
https://github.com/Cacti/cacti/security/advisories/GHSA-q4wh-3f9w-836h
https://github.com/Cacti/cacti/security/advisories/GHSA-gj95-7xr8-9p7g
https://github.com/Cacti/cacti/security/advisories/GHSA-v5w7-hww7-2f22
https://github.com/Cacti/cacti/security/advisories/GHSA-4pjv-rmrp-r59x
https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv
https://github.com/Cacti/cacti/security/advisories/GHSA-24w4-4hp2-3j8h
https://github.com/Cacti/cacti/security/advisories/GHSA-5hpr-4hhc-8q42
https://github.com/Cacti/cacti/security/advisories/GHSA-vqcc-5v63-g9q7
https://github.com/Cacti/cacti/security/advisories/GHSA-9fj7-8f2j-2rw2
https://github.com/Cacti/cacti/security/advisories/GHSA-6hrc-2cfc-8hm7
https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h
https://github.com/Cacti/cacti/security/advisories/GHSA-r8qq-88g3-hmgv



Does not seem to include bug 1214170 / CVE-2023-3754
Comment 1 Andreas Stieger 2023-09-06 06:11:57 UTC 
submitted
Comment 2 Andreas Stieger 2023-09-06 06:41:39 UTC 
CVE-2023-30534 
CVE-2023-39360 
CVE-2023-39361 
CVE-2023-39357 
CVE-2023-39362 
CVE-2023-39359 
CVE-2023-39358 
CVE-2023-39365 
CVE-2023-39364 
CVE-2023-39366 
CVE-2023-39510 

CVE-2023-39512 
CVE-2023-39513 
CVE-2023-39514 
CVE-2023-39515 
CVE-2023-39516
Comment 3 OBSbugzilla Bot 2023-09-06 06:45:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1215024) was mentioned in
https://build.opensuse.org/request/show/1109188 Factory / cacti
https://build.opensuse.org/request/show/1109189 Backports:SLE-12+Backports:SLE-15-SP4+Backports:SLE-15-SP5 / cacti+cacti-spine
Comment 4 Andreas Stieger 2023-09-06 09:03:31 UTC 
Resolving in favor of individual bugs
Comment 5 Andreas Stieger 2023-09-06 20:36:11 UTC 
  * CVE-2023-30534: Protect against Insecure deserialization of filter data (boo#1215082)
  * CVE-2023-39360: Cross-Site Scripting vulnerability when creating new graphs (boo#1215044)
  * CVE-2023-39361: Unauthenticated SQL Injection when viewing graphs (boo#1215045)
  * CVE-2023-39357: SQL Injection when saving data with sql_save() (boo#1215040)
  * CVE-2023-39362: Authenticated command injection when using SNMP options (boo#1215047)
  * CVE-2023-39359: Authenticated SQL injection vulnerability when managing graphs (boo#1215043)
  * CVE-2023-39358: Authenticated SQL injection vulnerability when managing reports (boo#1215042)
  * CVE-2023-39365: SQL Injection when using regular expressions (boo#1215051)
  * CVE-2023-39364: redirect in change password functionality (boo#1215050)
  * CVE-2023-39366: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215052)
  * CVE-2023-39510: Cross-Site Scripting vulnerability with Device Name when administrating Reports (boo#1215053)
  * CVE-2023-39511: Cross-Site Scripting vulnerability with Device Name when editing Graphs whilst managing Reports (boo#1215081)
  * CVE-2023-39512: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215054)
  * CVE-2023-39513: Cross-Site Scripting vulnerability with Device Name when debugging data queries (boo#1215055)
  * CVE-2023-39514: Cross-Site Scripting vulnerability with Data Source Name when managing Graphs (boo#1215056)
  * CVE-2023-39515: Cross-Site Scripting vulnerability with Data Source Name when debugging Data Queries (boo#1215058)
  * CVE-2023-39516: Cross-Site Scripting vulnerability with Data Source Information when managing Data Sources (boo#1215059)