Bugzilla – Bug 1215045
VUL-0: CVE-2023-39361: cacti: Unauthenticated SQL Injection when viewing graphs
Last modified: 2023-09-26 19:10:15 UTC
CVE-2023-39361 Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39361 https://bugzilla.redhat.com/show_bug.cgi?id=2237595 https://www.cve.org/CVERecord?id=CVE-2023-39361 https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg
Affected: - openSUSE:Factory/cacti 1.2.24 - openSUSE:Backports:SLE-15-SP4/cacti 1.2.20 - openSUSE:Backports:SLE-15-SP5/cacti 1.2.23
submitted
This is an autogenerated message for OBS integration: This bug (1215045) was mentioned in https://build.opensuse.org/request/show/1109347 Factory / cacti https://build.opensuse.org/request/show/1109349 Backports:SLE-12+Backports:SLE-15-SP4+Backports:SLE-15-SP5 / cacti+cacti-spine
done, closing
Reopening: Maintenance release request is still open, and waiting for reviews from qam-openqa and backports-reviewers. https://build.opensuse.org/request/show/1109493
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082 CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516 JIRA References: Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082 CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): cacti-1.2.25-bp155.2.3.1, cacti-spine-1.2.25-bp155.2.3.1 openSUSE Backports SLE-15-SP4 (src): cacti-1.2.25-bp154.2.9.1, cacti-spine-1.2.25-bp154.2.9.1 SUSE Package Hub for SUSE Linux Enterprise 12 (src): cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
all done now, closing