10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
15.3%
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when register_argc_argv
option of PHP is On
. In cmd_realtime.php
line 119, the $poller_id
used as part of the command execution is sourced from $_SERVER['argv']
, which can be controlled by URL when register_argc_argv
option of PHP is On
. And this option is On
by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
[
{
"vendor": "Cacti",
"product": "cacti",
"versions": [
{
"version": "= 1.3.x DEV",
"status": "affected"
}
]
}
]