CVE-2024-45598: Cacti has a Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
First published: Mon Jan 27 2025(Updated: )
Cacti is an open source performance and fault management framework. Prior to 1.2.29, an administrator can change the `Poller Standard Error Log Path` parameter in either Installation Step 5 or in Configuration->Settings->Paths tab to a local file inside the server. Then simply going to Logs tab and selecting the name of the local file will show its content on the web UI. This vulnerability is fixed in 1.2.29.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti | <1.2.29 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-45598?
CVE-2024-45598 has a high severity level due to the potential for unauthorized file access.
How do I fix CVE-2024-45598?
To fix CVE-2024-45598, upgrade to Cacti version 1.2.29 or later.
What does CVE-2024-45598 affect?
CVE-2024-45598 affects versions of Cacti prior to 1.2.29.
What is the nature of the vulnerability in CVE-2024-45598?
CVE-2024-45598 allows an administrator to improperly set the Poller Standard Error Log Path to a local file, potentially exposing sensitive data.
Is Cacti still safe to use after CVE-2024-45598?
Cacti remains safe to use as long as it is updated to the patched version 1.2.29 or higher.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/severity
- agent/last-modified-date
- agent/source
- agent/author
- agent/event
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/cacti
- canonical/cacti