UBUNTU-CVE-2024-43363

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-43363

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-43363.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-43363

Upstream

CVE-2024-43363

Published

2024-10-07T21:15:00Z

Modified

2025-07-14T07:16:22.997493Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Ubuntu:Pro:14.04:LTS / cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti@0.8.8b+dfsg-5ubuntu0.2+esm2?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.8b+dfsg-3

0.8.8b+dfsg-5

0.8.8b+dfsg-5ubuntu0.1

0.8.8b+dfsg-5ubuntu0.2

0.8.8b+dfsg-5ubuntu0.2+esm1

0.8.8b+dfsg-5ubuntu0.2+esm2

Ubuntu:Pro:16.04:LTS / cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti@0.8.8f+ds1-4ubuntu4.16.04.2+esm2?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.8f+ds1-2

0.8.8f+ds1-3

0.8.8f+ds1-4

0.8.8f+ds1-4ubuntu1

0.8.8f+ds1-4ubuntu2

0.8.8f+ds1-4ubuntu3

0.8.8f+ds1-4ubuntu4

0.8.8f+ds1-4ubuntu4.16.04

0.8.8f+ds1-4ubuntu4.16.04.1

0.8.8f+ds1-4ubuntu4.16.04.2

0.8.8f+ds1-4ubuntu4.16.04.2+esm1

0.8.8f+ds1-4ubuntu4.16.04.2+esm2

Ubuntu:Pro:18.04:LTS / cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti@1.1.38+ds1-1ubuntu0.1~esm4?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.18+ds1-1

1.1.27+ds1-2

1.1.27+ds1-3

1.1.28+ds1-2

1.1.35+ds1-1

1.1.36+ds1-1

1.1.38+ds1-1

1.1.38+ds1-1ubuntu0.1~esm1

1.1.38+ds1-1ubuntu0.1~esm3

1.1.38+ds1-1ubuntu0.1~esm4

Ubuntu:Pro:20.04:LTS / cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti@1.2.10+ds1-1ubuntu1.1+esm2?arch=source&distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.4+ds1-2ubuntu3

1.2.9+ds1-1ubuntu1

1.2.9+ds1-1ubuntu2

1.2.10+ds1-1ubuntu1

1.2.10+ds1-1ubuntu1+esm1

1.2.10+ds1-1ubuntu1.1

1.2.10+ds1-1ubuntu1.1+esm1

1.2.10+ds1-1ubuntu1.1+esm2

Ubuntu:22.04:LTS / cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti@1.2.19+ds1-2ubuntu1.1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.16+ds1-2ubuntu1

1.2.19+ds1-2ubuntu1

1.2.19+ds1-2ubuntu1.1

Ubuntu:24.04:LTS / cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti@1.2.26+ds1-1ubuntu0.1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.25+ds1-2

1.2.26+ds1-1

1.2.26+ds1-1ubuntu0.1

Ubuntu:25.04 / cacti

Package

Name: cacti
Purl: pkg:deb/ubuntu/cacti@1.2.28+ds1-4ubuntu1?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.27+ds1-2ubuntu1

1.2.28+ds1-2

1.2.28+ds1-2ubuntu1

1.2.28+ds1-3ubuntu1

1.2.28+ds1-4ubuntu1