Bug 1215051 (CVE-2023-39365) - VUL-0: CVE-2023-39365: cacti: SQL Injection when using regular expressions
Summary: VUL-0: CVE-2023-39365: cacti: SQL Injection when using regular expressions
Status: RESOLVED FIXED
Alias: CVE-2023-39365
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/377376/
Whiteboard:
Keywords:
Depends on:
Blocks: 1215024
  Show dependency treegraph
 
Reported: 2023-09-06 08:31 UTC by Cathy Hu
Modified: 2023-09-26 19:10 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-09-06 08:31:51 UTC 
CVE-2023-39365

Cacti is an open source operational monitoring and fault management framework.
Issues with Cacti Regular Expression validation combined with the external links
feature can lead to limited SQL Injections and subsequent data leakage. This
issue has been addressed in version 1.2.25. Users are advised to upgrade. There
are no known workarounds for this vulnerability.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39365
https://bugzilla.redhat.com/show_bug.cgi?id=2237613
https://www.cve.org/CVERecord?id=CVE-2023-39365
https://github.com/Cacti/cacti/security/advisories/GHSA-v5w7-hww7-2f22
Comment 1 Cathy Hu 2023-09-06 08:32:07 UTC 
Affected:
- openSUSE:Factory/cacti 1.2.24
- openSUSE:Backports:SLE-15-SP4/cacti 1.2.20
- openSUSE:Backports:SLE-15-SP5/cacti 1.2.23
Comment 2 Andreas Stieger 2023-09-06 20:47:19 UTC 
submitted
Comment 3 OBSbugzilla Bot 2023-09-06 21:35:20 UTC 
This is an autogenerated message for OBS integration:
This bug (1215051) was mentioned in
https://build.opensuse.org/request/show/1109347 Factory / cacti
https://build.opensuse.org/request/show/1109349 Backports:SLE-12+Backports:SLE-15-SP4+Backports:SLE-15-SP5 / cacti+cacti-spine
Comment 4 Cathy Hu 2023-09-25 12:22:10 UTC 
done, closing
Comment 5 Andreas Stieger 2023-09-25 12:35:19 UTC 
Reopening: Maintenance release request is still open, and waiting for reviews from qam-openqa and backports-reviewers.
https://build.opensuse.org/request/show/1109493
Comment 6 Marcus Meissner 2023-09-26 19:05:58 UTC 
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082
CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
Comment 7 Marcus Meissner 2023-09-26 19:07:30 UTC 
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082
CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    cacti-1.2.25-bp155.2.3.1, cacti-spine-1.2.25-bp155.2.3.1
openSUSE Backports SLE-15-SP4 (src):    cacti-1.2.25-bp154.2.9.1, cacti-spine-1.2.25-bp154.2.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
Comment 8 Andreas Stieger 2023-09-26 19:10:13 UTC 
all done now, closing