CVE-2024-25641

14.05.2024, 15:05

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.1 CRITICAL	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
GitHub_M	CNA	9.1 CRITICAL	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
cacti	cacti	𝑥 < 1.2.27

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cacti

bullseye	vulnerable
bullseye (security)	1.2.16+ds1-2+deb11u5 fixed
bookworm	1.2.24+ds1-1+deb12u5 fixed
bookworm (security)	1.2.24+ds1-1+deb12u5 fixed
sid	1.2.30+ds1-1 fixed
trixie	1.2.30+ds1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

cacti

noble	Fixed 1.2.26+ds1-1ubuntu0.1 released
mantic	ignored
jammy	Fixed 1.2.19+ds1-2ubuntu1.1 released
focal	Fixed 1.2.10+ds1-1ubuntu1.1 released
bionic	Fixed 1.1.38+ds1-1ubuntu0.1~esm3 released
xenial	not-affected
trusty	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://seclists.org/fulldisclosure/2024/May/6

https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210

https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/

http://seclists.org/fulldisclosure/2024/May/6

https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210

https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/