CVE-2019-17358
First published: Thu Dec 12 2019(Updated: )
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti Cacti | <=1.2.7 | |
| Debian Debian Linux | =8.0 | |
| openSUSE Leap | =42.3 | |
| ubuntu/cacti | <0.8.8<1.2.8+ | 0.8.8 1.2.8+ |
| ubuntu/cacti | <0.8.8 | 0.8.8 |
| debian/cacti | 1.2.2+ds1-2+deb10u4 1.2.2+ds1-2+deb10u6 1.2.16+ds1-2+deb11u2 1.2.16+ds1-2+deb11u3 1.2.24+ds1-1+deb12u1 1.2.24+ds1-1+deb12u2 1.2.26+ds1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/issues/3026
- https://security-tracker.debian.org/tracker/CVE-2019-17358
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17358
- https://github.com/Cacti/cacti/commit/adf221344359f5b02b8aed43dfb6b33ae5d708c8
- https://security-tracker.debian.org/tracker/CVE-2019-17357
- https://security-tracker.debian.org/tracker/CVE-2019-16723
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947375
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-17358
- https://github.com/Cacti/cacti/blob/79f29cddb5eb05cbaff486cd634285ef1fed9326/lib/functions.php#L3109
- https://lists.debian.org/debian-lts-announce/2019/12/msg00014.html
- https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17358.html
- https://seclists.org/bugtraq/2020/Jan/25
- https://security.gentoo.org/glsa/202003-40
- https://www.darkmatter.ae/xen1thlabs/
- https://www.debian.org/security/2020/dsa-4604
- https://launchpad.net/bugs/cve/CVE-2019-17358
- https://www.cve.org/CVERecord?id=CVE-2019-17358
- https://nvd.nist.gov/vuln/detail/CVE-2019-17358
- https://ubuntu.com/security/CVE-2019-17358
Frequently Asked Questions
What is CVE-2019-17358?
CVE-2019-17358 is a vulnerability in Cacti through 1.2.7 that allows an authenticated attacker to influence object data values and control actions taken by Cacti or potentially cause memory corruption in PHP.
How does CVE-2019-17358 affect Cacti?
CVE-2019-17358 affects Cacti versions up to and including 1.2.7.
What is the severity of CVE-2019-17358?
CVE-2019-17358 has a severity rating of 8.1 (high).
How can an attacker exploit CVE-2019-17358?
An authenticated attacker can exploit CVE-2019-17358 by using unsafe deserialization of user-controlled data to populate arrays in the lib/functions.php file.
Is there a fix for CVE-2019-17358?
Yes, the fix for CVE-2019-17358 is to upgrade to Cacti version 1.2.8+ or apply the recommended patches for specific distributions.
- collector/debian-bugs
- alias/CVE-2019-17358
- collector/nvd-index
- agent/weakness
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/references
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/cacti
- canonical/cacti cacti
- version/cacti cacti/1.2.7
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/42.3
- package-manager/debian
- package-manager/ubuntu