Bug 1196692 - (CVE-2022-0730) VUL-0: CVE-2022-0730: cacti: Authentication bypass under certain LDAP server environments
(CVE-2022-0730)
VUL-0: CVE-2022-0730: cacti: Authentication bypass under certain LDAP server ...
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/325216/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-03 09:26 UTC by Thomas Leroy
Modified: 2022-05-24 13:20 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-03 09:26:38 UTC
rh#2057106

Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.

References:

https://github.com/Cacti/cacti/issues/4562

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2057106
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0730
Comment 1 Thomas Leroy 2022-03-03 09:35:32 UTC
Will be fixed in the version 1.2.20, that is not shipped yet.

Affected:
- openSUSE:Factory/cacti                       v1.2.19
- openSUSE:Backports:SLE-15-SP4/cacti          v1.2.18
- openSUSE:Backports:SLE-15-SP3/cacti          v1.2.17
- openSUSE:Backports:SLE-15-SP3:Update/cacti   v1.2.19
Comment 2 Andreas Stieger 2022-04-22 16:35:46 UTC
submitted, thanks Ferdinand
Comment 3 OBSbugzilla Bot 2022-04-22 18:40:05 UTC
This is an autogenerated message for OBS integration:
This bug (1196692) was mentioned in
https://build.opensuse.org/request/show/972230 Factory / cacti
https://build.opensuse.org/request/show/972231 Backports:SLE-12+Backports:SLE-15-SP3 / cacti+cacti-spine
https://build.opensuse.org/request/show/972232 Backports:SLE-15-SP4 / cacti
Comment 4 Swamp Workflow Management 2022-05-24 13:15:51 UTC
openSUSE-SU-2022:0145-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1192408,1196692
CVE References: CVE-2022-0730
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    cacti-1.2.20-bp153.2.9.1, cacti-spine-1.2.20-bp153.2.9.1
Comment 5 Swamp Workflow Management 2022-05-24 13:20:38 UTC
openSUSE-SU-2022:0145-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1192408,1196692
CVE References: CVE-2022-0730
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    cacti-1.2.20-bp153.2.9.1, cacti-spine-1.2.20-bp153.2.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.20-26.1, cacti-spine-1.2.20-20.1