10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.6 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
29.1%
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when register_argc_argv
option of PHP is On
. In cmd_realtime.php
line 119, the $poller_id
used as part of the command execution is sourced from $_SERVER['argv']
, which can be controlled by URL when register_argc_argv
option of PHP is On
. And this option is On
by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | cacti | < 1.2.24+ds1-1+deb12u1 | cacti_1.2.24+ds1-1+deb12u1_all.deb |
Debian | 11 | all | cacti | < 1.2.16+ds1-2+deb11u2 | cacti_1.2.16+ds1-2+deb11u2_all.deb |
Debian | 10 | all | cacti | < 1.2.2+ds1-2+deb10u4 | cacti_1.2.2+ds1-2+deb10u4_all.deb |
Debian | 999 | all | cacti | < 1.2.27+ds1-2 | cacti_1.2.27+ds1-2_all.deb |
Debian | 13 | all | cacti | < 1.2.27+ds1-2 | cacti_1.2.27+ds1-2_all.deb |
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.6 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
29.1%