CVE-2023-39365: Cacti graph_view SQL Injection Authentication Bypass Vulnerability
First published: Tue Sep 05 2023(Updated: )
Cacti is an open source operational monitoring and fault management framework. Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti Cacti | <1.2.25 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| debian/cacti | <=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1 | 1.2.16+ds1-2+deb11u2 1.2.24+ds1-1+deb12u1 1.2.25+ds1-2 |
| Cacti Cacti |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/security/advisories/GHSA-v5w7-hww7-2f22
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://www.zerodayinitiative.com/advisories/ZDI-23-1499/
- https://www.zerodayinitiative.com/advisories/ZDI-23-1500/
- https://github.com/cacti/cacti/commit/f775c115e9d6e4b6a326eee682af8afebc43f20e
- https://security-tracker.debian.org/tracker/CVE-2023-39365
- https://github.com/cacti/cacti/security/advisories/GHSA-v5w7-hww7-2f22
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://www.debian.org/security/2023/dsa-5550
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
Frequently Asked Questions
What is CVE-2023-39365?
CVE-2023-39365 is a vulnerability in the Cacti open source operational monitoring and fault management framework that can lead to limited SQL Injections and subsequent data leakage.
What is the severity of CVE-2023-39365?
The severity of CVE-2023-39365 is rated as medium with a CVSS score of 6.3.
How does CVE-2023-39365 affect Cacti?
CVE-2023-39365 affects Cacti versions up to and excluding 1.2.25, allowing for limited SQL Injections and potential data leakage.
How do I fix CVE-2023-39365?
To fix CVE-2023-39365, users are advised to upgrade to Cacti version 1.2.25.
Where can I find more information about CVE-2023-39365?
For more information about CVE-2023-39365, you can visit the Cacti Security Advisories page on GitHub (link provided in the references).
- collector/nvd-index
- collector/security-tracker-debian
- collector/zdi-advisory
- alias/ZDI-23-1500
- alias/ZDI-CAN-20767
- alias/CVE-2023-39365
- alias/ZDI-23-1499
- alias/ZDI-CAN-21001
- agent/type
- agent/author
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/title
- agent/weakness
- agent/description
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/cacti
- canonical/cacti cacti
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/debian