CVE-2024-31460: Cacti SQL Injection vulnerability in lib/api_automation.php caused by reading dirty data stored in database
First published: Mon May 13 2024(Updated: )
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/cacti | <=1.2.16+ds1-2+deb11u3<=1.2.24+ds1-1+deb12u2 | 1.2.16+ds1-2+deb11u4 1.2.24+ds1-1+deb12u4 1.2.27+ds1-2 |
| Cacti | <1.2.27 | |
| Fedora | =39 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
- https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- https://launchpad.net/bugs/cve/CVE-2024-31460
- https://github.com/Cacti/cacti/commit/8b516cb9a73322ad532231e74000c2ee097b495e
- https://security-tracker.debian.org/tracker/CVE-2024-31460
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31460
- https://nvd.nist.gov/vuln/detail/CVE-2024-31460
- https://ubuntu.com/security/CVE-2024-31460
Frequently Asked Questions
What is the severity of CVE-2024-31460?
CVE-2024-31460 has been classified with a moderate severity level due to its potential impact on SQL injection vulnerabilities.
How do I fix CVE-2024-31460?
To remediate CVE-2024-31460, upgrade Cacti to version 1.2.27 or later.
Which versions of Cacti are affected by CVE-2024-31460?
CVE-2024-31460 affects Cacti versions prior to 1.2.27.
Is CVE-2024-31460 related to SQL injection vulnerabilities?
Yes, CVE-2024-31460 involves insufficient validation leading to potential SQL injection vulnerabilities.
What is the impact of CVE-2024-31460?
The impact of CVE-2024-31460 may allow an attacker to manipulate SQL queries, potentially leading to unauthorized data access.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/cacti
- canonical/cacti
- vendor/fedoraproject
- canonical/fedora
- version/fedora/39