CVE-2019-16723
First published: Mon Sep 23 2019(Updated: )
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/cacti | <=1.2.2+ds1-2<=1.2.2+ds1-2+deb10u1<=1.2.6+ds1-2 | |
| Cacti Cacti | <=1.2.6 | |
| debian/cacti | 1.2.2+ds1-2+deb10u4 1.2.2+ds1-2+deb10u5 1.2.16+ds1-2+deb11u1 1.2.16+ds1-2+deb11u2 1.2.24+ds1-1+deb12u1 1.2.25+ds1-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/issues/2964
- https://security-tracker.debian.org/tracker/CVE-2019-16723
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16723
- https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264
- https://github.com/Cacti/cacti/commit/de3833b0414383efc9e075dd13c95925e2ca504c
- https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2
- https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326
- https://github.com/Cacti/cacti/blob/develop/lib/rrd.php#L1179
- https://github.com/Cacti/cacti/blob/develop/graph_image.php#L132
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941036
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZO3ROHHPKLH2JRW7ES5FYSQTWIPNVLQB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSCUUCKSYVZLN3PQE7NU76AFWUGT3E2D/
- https://seclists.org/bugtraq/2020/Jan/25
- https://security.gentoo.org/glsa/202003-40
- https://www.debian.org/security/2020/dsa-4604
- https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b
- https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43ee7
- https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f7f7
- https://github.com/Cacti/cacti/commit/4cecb19f6be8b84fa1c7b6450b66176007cb53df
Frequently Asked Questions
What is the severity of CVE-2019-16723?
The severity of CVE-2019-16723 is high with a severity value of 4.3.
How can authenticated users bypass authorization checks in Cacti through 1.2.6?
Authenticated users can bypass authorization checks in Cacti through 1.2.6 by making a direct graph_json.php request with a modified local_graph_id parameter.
Which versions of Cacti are affected by CVE-2019-16723?
Versions 1.2.2+ds1-2, 1.2.2+ds1-2+deb10u1, and 1.2.6+ds1-2 of Cacti are affected by CVE-2019-16723.
Are there any remedies available for CVE-2019-16723 in Cacti?
There are no specific remedies available for CVE-2019-16723 in Cacti.
Where can I find more information about CVE-2019-16723?
You can find more information about CVE-2019-16723 at the following references: [Reference 1](http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html), [Reference 2](http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html), [Reference 3](http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html).
- collector/debian-bugs
- alias/CVE-2019-16723
- collector/nvd-index
- collector/security-tracker-debian
- package-manager/debian
- vendor/cacti
- canonical/cacti cacti
- version/cacti cacti/1.2.6