Bug 1215043 (CVE-2023-39359)

Summary: VUL-0: CVE-2023-39359: cacti: Authenticated SQL injection vulnerability when managing graphs
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: Andreas.Stieger, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377357/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1215024    

Description Cathy Hu 2023-09-06 08:23:22 UTC 
CVE-2023-39359

Cacti is an open source operational monitoring and fault management framework.
An authenticated SQL injection vulnerability was discovered which allows
authenticated users to perform privilege escalation and remote code execution.
The vulnerability resides in the `graphs.php` file. When dealing with the cases
of ajax_hosts and ajax_hosts_noany, if the `site_id` parameter is greater than
0, it is directly reflected in the WHERE clause of the SQL statement. This
creates an SQL injection vulnerability. This issue has been addressed in version
1.2.25. Users are advised to upgrade. There are no known workarounds for this
vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39359
https://bugzilla.redhat.com/show_bug.cgi?id=2237587
https://www.cve.org/CVERecord?id=CVE-2023-39359
https://github.com/Cacti/cacti/security/advisories/GHSA-q4wh-3f9w-836h
Comment 1 Cathy Hu 2023-09-06 08:23:31 UTC 
Affected:
- openSUSE:Factory/cacti 1.2.24
- openSUSE:Backports:SLE-15-SP4/cacti 1.2.20
- openSUSE:Backports:SLE-15-SP5/cacti 1.2.23
Comment 2 Andreas Stieger 2023-09-06 20:47:19 UTC 
submitted
Comment 3 OBSbugzilla Bot 2023-09-06 21:35:11 UTC 
This is an autogenerated message for OBS integration:
This bug (1215043) was mentioned in
https://build.opensuse.org/request/show/1109347 Factory / cacti
https://build.opensuse.org/request/show/1109349 Backports:SLE-12+Backports:SLE-15-SP4+Backports:SLE-15-SP5 / cacti+cacti-spine
Comment 4 Cathy Hu 2023-09-25 12:23:02 UTC 
done, closing
Comment 5 Andreas Stieger 2023-09-25 12:35:16 UTC 
Reopening: Maintenance release request is still open, and waiting for reviews from qam-openqa and backports-reviewers.
https://build.opensuse.org/request/show/1109493
Comment 6 Marcus Meissner 2023-09-26 19:05:47 UTC 
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082
CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
Comment 7 Marcus Meissner 2023-09-26 19:07:12 UTC 
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082
CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    cacti-1.2.25-bp155.2.3.1, cacti-spine-1.2.25-bp155.2.3.1
openSUSE Backports SLE-15-SP4 (src):    cacti-1.2.25-bp154.2.9.1, cacti-spine-1.2.25-bp154.2.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
Comment 8 Andreas Stieger 2023-09-26 19:10:14 UTC 
all done now, closing