CVE-2024-45598

EUVD-2024-41744
Cacti is an open source performance and fault management framework. Prior to 1.2.29, an administrator can change the `Poller Standard Error Log Path` parameter in either Installation Step 5 or in Configuration->Settings->Paths tab to a local file inside the server. Then simply going to Logs tab and selecting the name of the local file will show its content on the web UI. This vulnerability is fixed in 1.2.29.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
GitHub_MCNA
6 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
cacticacti
𝑥
< 1.2.29
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cacti
bookworm
1.2.24+ds1-1+deb12u5
fixed
bookworm (security)
1.2.24+ds1-1+deb12u5
fixed
bullseye
vulnerable
bullseye (security)
1.2.16+ds1-2+deb11u5
fixed
forky
1.2.30+ds1-1
fixed
sid
1.2.30+ds1-1
fixed
trixie
1.2.30+ds1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cacti
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/Cacti/cacti/commit/eca52c6bb3e76c55d66b1040baa6dbf37471a0ae
https://github.com/Cacti/cacti/security/advisories/GHSA-pv2c-97pp-vxwg
https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html