CVE-2023-39361: Unauthenticated SQL Injection in graph_view.php in Cacti
First published: Tue Sep 05 2023(Updated: )
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti Cacti | =1.2.24 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| ubuntu/cacti | <1.2.25+ | 1.2.25+ |
| ubuntu/cacti | <1.2.25+ | 1.2.25+ |
| ubuntu/cacti | <1.2.19+ | 1.2.19+ |
| debian/cacti | <=1.2.2+ds1-2+deb10u4 | 1.2.2+ds1-2+deb10u6 1.2.16+ds1-2+deb11u2 1.2.16+ds1-2+deb11u3 1.2.24+ds1-1+deb12u1 1.2.24+ds1-1+deb12u2 1.2.26+ds1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://www.debian.org/security/2023/dsa-5550
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
- https://launchpad.net/bugs/cve/CVE-2023-39361
- https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822
- https://github.com/cacti/cacti/commit/36269461cb9b03581ad5d7f6ddbc085a28fb9c37
- https://security-tracker.debian.org/tracker/CVE-2023-39361
- https://ubuntu.com/security/notices/USN-6720-1
- https://www.cve.org/CVERecord?id=CVE-2023-39361
- https://nvd.nist.gov/vuln/detail/CVE-2023-39361
- https://ubuntu.com/security/CVE-2023-39361
Frequently Asked Questions
What is CVE-2023-39361?
CVE-2023-39361 is a vulnerability discovered in Cacti, an open source operational monitoring and fault management framework, that allows for SQL injection in graph_view.php.
How severe is CVE-2023-39361?
CVE-2023-39361 has a severity rating of 9.8, which is classified as critical.
Which version of Cacti is affected by CVE-2023-39361?
Cacti version 1.2.24 is affected by CVE-2023-39361.
What is the Common Weakness Enumeration (CWE) ID for CVE-2023-39361?
The CWE ID for CVE-2023-39361 is CWE-89.
How can I fix the CVE-2023-39361 vulnerability?
To fix the CVE-2023-39361 vulnerability, it is recommended to update Cacti to a version that includes the necessary security patches and to apply any provided fixes or workarounds.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/weakness
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/remedy
- agent/description
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- agent/softwarecombine
- agent/references
- agent/author
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/cacti
- canonical/cacti cacti
- version/cacti cacti/1.2.24
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/debian
- package-manager/ubuntu