Bug 1215050 (CVE-2023-39364)

Summary: VUL-0: CVE-2023-39364: cacti: Open redirect in change password functionality
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: Andreas.Stieger, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377375/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1215024    

Description Cathy Hu 2023-09-06 08:30:59 UTC 
CVE-2023-39364

Cacti is an open source operational monitoring and fault management framework.
In Cacti 1.2.24, users with console access can be redirected to an arbitrary
website after a change password performed via a specifically crafted URL. The
`auth_changepassword.php` file accepts `ref` as a URL parameter and reflects it
in the form used to perform the change password. It's value is used to perform a
redirect via `header` PHP function. A user can be tricked in performing the
change password operation, e.g., via a phishing message, and then interacting
with the malicious website where the redirection has been performed, e.g.,
downloading malwares, providing credentials, etc. This issue has been addressed
in version 1.2.25. Users are advised to upgrade. There are no known workarounds
for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39364
https://bugzilla.redhat.com/show_bug.cgi?id=2237610
https://www.cve.org/CVERecord?id=CVE-2023-39364
https://github.com/Cacti/cacti/security/advisories/GHSA-4pjv-rmrp-r59x
Comment 1 Cathy Hu 2023-09-06 08:31:09 UTC 
Affected:
- openSUSE:Factory/cacti 1.2.24
- openSUSE:Backports:SLE-15-SP4/cacti 1.2.20
- openSUSE:Backports:SLE-15-SP5/cacti 1.2.23
Comment 2 Andreas Stieger 2023-09-06 20:47:18 UTC 
submitted
Comment 3 OBSbugzilla Bot 2023-09-06 21:35:18 UTC 
This is an autogenerated message for OBS integration:
This bug (1215050) was mentioned in
https://build.opensuse.org/request/show/1109347 Factory / cacti
https://build.opensuse.org/request/show/1109349 Backports:SLE-12+Backports:SLE-15-SP4+Backports:SLE-15-SP5 / cacti+cacti-spine
Comment 4 Cathy Hu 2023-09-25 12:22:20 UTC 
done, closing
Comment 5 Andreas Stieger 2023-09-25 12:35:18 UTC 
Reopening: Maintenance release request is still open, and waiting for reviews from qam-openqa and backports-reviewers.
https://build.opensuse.org/request/show/1109493
Comment 6 Marcus Meissner 2023-09-26 19:05:55 UTC 
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082
CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
Comment 7 Marcus Meissner 2023-09-26 19:07:26 UTC 
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082
CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    cacti-1.2.25-bp155.2.3.1, cacti-spine-1.2.25-bp155.2.3.1
openSUSE Backports SLE-15-SP4 (src):    cacti-1.2.25-bp154.2.9.1, cacti-spine-1.2.25-bp154.2.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
Comment 8 Andreas Stieger 2023-09-26 19:10:15 UTC 
all done now, closing