DEBIAN-CVE-2023-30534

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2023-30534

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-30534.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-30534

Upstream

CVE-2023-30534

Published

2023-09-05T22:15:08Z

Modified

2025-09-19T06:07:27Z

Summary

[none]

Details

Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphsnew.php, specifically within the hostnewgraphssave function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

https://security-tracker.debian.org/tracker/CVE-2023-30534

Affected packages

Debian:13 / cacti

Package

Name: cacti
Purl: pkg:deb/debian/cacti?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.25+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / cacti

Package

Name: cacti
Purl: pkg:deb/debian/cacti?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.25+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}