CVE-2023-30534

Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphsnew.php, specifically within the hostnewgraphssave function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Debian:11 / cacti

Package

Name: cacti
Purl: pkg:deb/debian/cacti?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.16+ds1-2

1.2.16+ds1-2+deb11u1

1.2.16+ds1-2+deb11u2

1.2.16+ds1-2+deb11u3

1.2.16+ds1-2+deb11u4

1.2.16+ds1-2+deb11u5

1.2.19+ds1-1

1.2.19+ds1-2

1.2.20+ds1-1

1.2.20+ds1-2

1.2.21+ds1-1

1.2.22+ds1-1

1.2.22+ds1-2

1.2.22+ds1-3

1.2.23+ds1-1

1.2.23+ds1-2

1.2.24+ds1-1

1.2.25+ds1-1

1.2.25+ds1-2

1.2.26+ds1-1

1.2.27+ds1-1

1.2.27+ds1-2

1.2.28+ds1-1

1.2.28+ds1-2

1.2.28+ds1-3

1.2.28+ds1-4

1.2.30+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / cacti

Package

Name: cacti
Purl: pkg:deb/debian/cacti?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.24+ds1-1

1.2.24+ds1-1+deb12u1

1.2.24+ds1-1+deb12u2

1.2.24+ds1-1+deb12u3

1.2.24+ds1-1+deb12u4

1.2.24+ds1-1+deb12u5

1.2.25+ds1-1

1.2.25+ds1-2

1.2.26+ds1-1

1.2.27+ds1-1

1.2.27+ds1-2

1.2.28+ds1-1

1.2.28+ds1-2

1.2.28+ds1-3

1.2.28+ds1-4

1.2.30+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / cacti

Package

Name: cacti
Purl: pkg:deb/debian/cacti?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.25+ds1-1

Affected versions

1.*

1.2.24+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/cacti/cacti

Affected ranges

Type: GIT
Repo: https://github.com/cacti/cacti
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

18500fa313a9f1ee1be48aa111c0eeea001010fa

Affected versions

releaes/1.*

releaes/1.2.19

release/1.*

release/1.0.0

release/1.0.1

release/1.0.2

release/1.0.3

release/1.0.4

release/1.0.5

release/1.0.6

release/1.1.0

release/1.1.1

release/1.1.11

release/1.1.12

release/1.1.13

release/1.1.14

release/1.1.15

release/1.1.16

release/1.1.17

release/1.1.18

release/1.1.19

release/1.1.2

release/1.1.20

release/1.1.21

release/1.1.22

release/1.1.23

release/1.1.24

release/1.1.25

release/1.1.26

release/1.1.27

release/1.1.28

release/1.1.29

release/1.1.3

release/1.1.30

release/1.1.31

release/1.1.32

release/1.1.33

release/1.1.34

release/1.1.35

release/1.1.36

release/1.1.37

release/1.1.38

release/1.1.4

release/1.1.5

release/1.1.6

release/1.1.7

release/1.1.8

release/1.2.0

release/1.2.0-beta1

release/1.2.0-beta2

release/1.2.0-beta3

release/1.2.0-beta4

release/1.2.1

release/1.2.10

release/1.2.11

release/1.2.12

release/1.2.13

release/1.2.14

release/1.2.15

release/1.2.16

release/1.2.17

release/1.2.18

release/1.2.19

release/1.2.2

release/1.2.20

release/1.2.21

release/1.2.22

release/1.2.23

release/1.2.24

release/1.2.3

release/1.2.4

release/1.2.5

release/1.2.6

release/1.2.7

release/1.2.8

release/1.2.9