opensuse-su-2020:0272-1
Vulnerability from csaf_opensuse
Published
2020-03-01 17:12
Modified
2020-03-01 17:12
Summary
Security update for cacti, cacti-spine
Notes
Title of the patch
Security update for cacti, cacti-spine
Description of the patch
This update for cacti, cacti-spine fixes the following issues:
cacti-spine was updated to version 1.2.9.
Security issues fixed:
- CVE-2009-4112: Fixed a privilege escalation (bsc#1122535).
- CVE-2018-20723: Fixed a cross-site scripting (XSS) vulnerability (bsc#1122245).
- CVE-2018-20724: Fixed a cross-site scripting (XSS) vulnerability (bsc#1122244).
- CVE-2018-20725: Fixed a privilege escalation that could occur under certain conditions (bsc#1122535).
- CVE-2018-20726: Fixed a cross-site scripting (XSS) vulnerability (bsc#1122242).
- CVE-2019-16723: Fixed an authentication bypass vulnerability.
- CVE-2019-17357: Fixed an SQL injection vulnerability (bsc#1158990).
- CVE-2019-17358: Fixed an unsafe deserialization in sanitize_unserialize_selected_items (bsc#1158992).
- CVE-2020-7106: Fixed a potential cross-site scripting (XSS) vulnerability (bsc#1163749).
- CVE-2020-7237: Fixed a remote code execution that affected privileged users via shell metacharacters in the Performance Boost Debug Log field (bsc#1161297).
Non-security issues fixed:
- Fixed missing packages php-json, php-ctype, and php-gd in cacti.spec (boo#1101024).
- Fixed Apache2.4 and Apache2.2 runtime configuration issue (boo#1101139).
Patchnames
openSUSE-2020-272
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cacti, cacti-spine",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cacti, cacti-spine fixes the following issues:\n\ncacti-spine was updated to version 1.2.9.\n\n\nSecurity issues fixed:\n\n- CVE-2009-4112: Fixed a privilege escalation (bsc#1122535).\n- CVE-2018-20723: Fixed a cross-site scripting (XSS) vulnerability (bsc#1122245).\n- CVE-2018-20724: Fixed a cross-site scripting (XSS) vulnerability (bsc#1122244).\n- CVE-2018-20725: Fixed a privilege escalation that could occur under certain conditions (bsc#1122535).\n- CVE-2018-20726: Fixed a cross-site scripting (XSS) vulnerability (bsc#1122242).\n- CVE-2019-16723: Fixed an authentication bypass vulnerability.\n- CVE-2019-17357: Fixed an SQL injection vulnerability (bsc#1158990).\n- CVE-2019-17358: Fixed an unsafe deserialization in sanitize_unserialize_selected_items (bsc#1158992).\n- CVE-2020-7106: Fixed a potential cross-site scripting (XSS) vulnerability (bsc#1163749).\n- CVE-2020-7237: Fixed a remote code execution that affected privileged users via shell metacharacters in the Performance Boost Debug Log field (bsc#1161297).\n\n\nNon-security issues fixed:\n\n- Fixed missing packages php-json, php-ctype, and php-gd in cacti.spec (boo#1101024).\n- Fixed Apache2.4 and Apache2.2 runtime configuration issue (boo#1101139).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-272",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0272-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:0272-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QJH5OTPHSPMFV4CORKBXMWKMQWVD3CC5/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:0272-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QJH5OTPHSPMFV4CORKBXMWKMQWVD3CC5/"
},
{
"category": "self",
"summary": "SUSE Bug 1082318",
"url": "https://bugzilla.suse.com/1082318"
},
{
"category": "self",
"summary": "SUSE Bug 1101024",
"url": "https://bugzilla.suse.com/1101024"
},
{
"category": "self",
"summary": "SUSE Bug 1101139",
"url": "https://bugzilla.suse.com/1101139"
},
{
"category": "self",
"summary": "SUSE Bug 1122242",
"url": "https://bugzilla.suse.com/1122242"
},
{
"category": "self",
"summary": "SUSE Bug 1122243",
"url": "https://bugzilla.suse.com/1122243"
},
{
"category": "self",
"summary": "SUSE Bug 1122244",
"url": "https://bugzilla.suse.com/1122244"
},
{
"category": "self",
"summary": "SUSE Bug 1122245",
"url": "https://bugzilla.suse.com/1122245"
},
{
"category": "self",
"summary": "SUSE Bug 1122535",
"url": "https://bugzilla.suse.com/1122535"
},
{
"category": "self",
"summary": "SUSE Bug 1158990",
"url": "https://bugzilla.suse.com/1158990"
},
{
"category": "self",
"summary": "SUSE Bug 1158992",
"url": "https://bugzilla.suse.com/1158992"
},
{
"category": "self",
"summary": "SUSE Bug 1161297",
"url": "https://bugzilla.suse.com/1161297"
},
{
"category": "self",
"summary": "SUSE Bug 1163749",
"url": "https://bugzilla.suse.com/1163749"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2009-4112 page",
"url": "https://www.suse.com/security/cve/CVE-2009-4112/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-20723 page",
"url": "https://www.suse.com/security/cve/CVE-2018-20723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-20724 page",
"url": "https://www.suse.com/security/cve/CVE-2018-20724/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-20725 page",
"url": "https://www.suse.com/security/cve/CVE-2018-20725/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-20726 page",
"url": "https://www.suse.com/security/cve/CVE-2018-20726/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-16723 page",
"url": "https://www.suse.com/security/cve/CVE-2019-16723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-17357 page",
"url": "https://www.suse.com/security/cve/CVE-2019-17357/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-17358 page",
"url": "https://www.suse.com/security/cve/CVE-2019-17358/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-7106 page",
"url": "https://www.suse.com/security/cve/CVE-2020-7106/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-7237 page",
"url": "https://www.suse.com/security/cve/CVE-2020-7237/"
}
],
"title": "Security update for cacti, cacti-spine",
"tracking": {
"current_release_date": "2020-03-01T17:12:57Z",
"generator": {
"date": "2020-03-01T17:12:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:0272-1",
"initial_release_date": "2020-03-01T17:12:57Z",
"revision_history": [
{
"date": "2020-03-01T17:12:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.9-lp151.3.3.1.noarch",
"product": {
"name": "cacti-1.2.9-lp151.3.3.1.noarch",
"product_id": "cacti-1.2.9-lp151.3.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.9-lp151.3.3.1.x86_64",
"product": {
"name": "cacti-spine-1.2.9-lp151.3.3.1.x86_64",
"product_id": "cacti-spine-1.2.9-lp151.3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.9-lp151.3.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch"
},
"product_reference": "cacti-1.2.9-lp151.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.9-lp151.3.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
},
"product_reference": "cacti-spine-1.2.9-lp151.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2009-4112",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2009-4112"
}
],
"notes": [
{
"category": "general",
"text": "Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the \"Data Input Method\" for the \"Linux - Get Memory Usage\" setting to contain arbitrary commands.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2009-4112",
"url": "https://www.suse.com/security/cve/CVE-2009-4112"
},
{
"category": "external",
"summary": "SUSE Bug 1122535 for CVE-2009-4112",
"url": "https://bugzilla.suse.com/1122535"
},
{
"category": "external",
"summary": "SUSE Bug 558664 for CVE-2009-4112",
"url": "https://bugzilla.suse.com/558664"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "important"
}
],
"title": "CVE-2009-4112"
},
{
"cve": "CVE-2018-20723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-20723"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-20723",
"url": "https://www.suse.com/security/cve/CVE-2018-20723"
},
{
"category": "external",
"summary": "SUSE Bug 1122245 for CVE-2018-20723",
"url": "https://bugzilla.suse.com/1122245"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "moderate"
}
],
"title": "CVE-2018-20723"
},
{
"cve": "CVE-2018-20724",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-20724"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-20724",
"url": "https://www.suse.com/security/cve/CVE-2018-20724"
},
{
"category": "external",
"summary": "SUSE Bug 1122244 for CVE-2018-20724",
"url": "https://bugzilla.suse.com/1122244"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "moderate"
}
],
"title": "CVE-2018-20724"
},
{
"cve": "CVE-2018-20725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-20725"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-20725",
"url": "https://www.suse.com/security/cve/CVE-2018-20725"
},
{
"category": "external",
"summary": "SUSE Bug 1122243 for CVE-2018-20725",
"url": "https://bugzilla.suse.com/1122243"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "moderate"
}
],
"title": "CVE-2018-20725"
},
{
"cve": "CVE-2018-20726",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-20726"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-20726",
"url": "https://www.suse.com/security/cve/CVE-2018-20726"
},
{
"category": "external",
"summary": "SUSE Bug 1122242 for CVE-2018-20726",
"url": "https://bugzilla.suse.com/1122242"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "moderate"
}
],
"title": "CVE-2018-20726"
},
{
"cve": "CVE-2019-16723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-16723"
}
],
"notes": [
{
"category": "general",
"text": "In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-16723",
"url": "https://www.suse.com/security/cve/CVE-2019-16723"
},
{
"category": "external",
"summary": "SUSE Bug 1151788 for CVE-2019-16723",
"url": "https://bugzilla.suse.com/1151788"
},
{
"category": "external",
"summary": "SUSE Bug 1214170 for CVE-2019-16723",
"url": "https://bugzilla.suse.com/1214170"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "moderate"
}
],
"title": "CVE-2019-16723"
},
{
"cve": "CVE-2019-17357",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-17357"
}
],
"notes": [
{
"category": "general",
"text": "Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, or an unauthenticated remote attacker could exploit this via Cross-Site Request Forgery.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-17357",
"url": "https://www.suse.com/security/cve/CVE-2019-17357"
},
{
"category": "external",
"summary": "SUSE Bug 1158990 for CVE-2019-17357",
"url": "https://bugzilla.suse.com/1158990"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "important"
}
],
"title": "CVE-2019-17357"
},
{
"cve": "CVE-2019-17358",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-17358"
}
],
"notes": [
{
"category": "general",
"text": "Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-17358",
"url": "https://www.suse.com/security/cve/CVE-2019-17358"
},
{
"category": "external",
"summary": "SUSE Bug 1158992 for CVE-2019-17358",
"url": "https://bugzilla.suse.com/1158992"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "moderate"
}
],
"title": "CVE-2019-17358"
},
{
"cve": "CVE-2020-7106",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-7106"
}
],
"notes": [
{
"category": "general",
"text": "Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-7106",
"url": "https://www.suse.com/security/cve/CVE-2020-7106"
},
{
"category": "external",
"summary": "SUSE Bug 1163749 for CVE-2020-7106",
"url": "https://bugzilla.suse.com/1163749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "moderate"
}
],
"title": "CVE-2020-7106"
},
{
"cve": "CVE-2020-7237",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-7237"
}
],
"notes": [
{
"category": "general",
"text": "Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-7237",
"url": "https://www.suse.com/security/cve/CVE-2020-7237"
},
{
"category": "external",
"summary": "SUSE Bug 1161297 for CVE-2020-7237",
"url": "https://bugzilla.suse.com/1161297"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:cacti-1.2.9-lp151.3.3.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.9-lp151.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-03-01T17:12:57Z",
"details": "important"
}
],
"title": "CVE-2020-7237"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…