Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.OPENSUSE-2020-272.NASL
HistoryMar 02, 2020 - 12:00 a.m.

openSUSE Security Update : cacti / cacti-spine (openSUSE-2020-272)

2020-03-0200:00:00
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
19

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

0.105 Low

EPSS

Percentile

95.0%

JSON

This update for cacti, cacti-spine fixes the following issues :

cacti-spine was updated to version 1.2.9.

Security issues fixed :

  • CVE-2009-4112: Fixed a privilege escalation (bsc#1122535).

  • CVE-2018-20723: Fixed a cross-site scripting (XSS) vulnerability (bsc#1122245).

  • CVE-2018-20724: Fixed a cross-site scripting (XSS) vulnerability (bsc#1122244).

  • CVE-2018-20725: Fixed a privilege escalation that could occur under certain conditions (bsc#1122535).

  • CVE-2018-20726: Fixed a cross-site scripting (XSS) vulnerability (bsc#1122242).

  • CVE-2019-16723: Fixed an authentication bypass vulnerability.

  • CVE-2019-17357: Fixed a SQL injection vulnerability (bsc#1158990).

  • CVE-2019-17358: Fixed an unsafe deserialization in sanitize_unserialize_selected_items (bsc#1158992).

  • CVE-2020-7106: Fixed a potential cross-site scripting (XSS) vulnerability (bsc#1163749).

  • CVE-2020-7237: Fixed a remote code execution that affected privileged users via shell metacharacters in the Performance Boost Debug Log field (bsc#1161297).

Non-security issues fixed :

  • Fixed missing packages php-json, php-ctype, and php-gd in cacti.spec (boo#1101024).

  • Fixed Apache2.4 and Apache2.2 runtime configuration issue (boo#1101139).

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2020-272.
#
# The text description of this plugin is (C) SUSE LLC.
#

include('compat.inc');

if (description)
{
  script_id(134195);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/25");

  script_cve_id(
    "CVE-2009-4112",
    "CVE-2018-20723",
    "CVE-2018-20724",
    "CVE-2018-20725",
    "CVE-2018-20726",
    "CVE-2019-16723",
    "CVE-2019-17357",
    "CVE-2019-17358",
    "CVE-2020-7106",
    "CVE-2020-7237"
  );

  script_name(english:"openSUSE Security Update : cacti / cacti-spine (openSUSE-2020-272)");

  script_set_attribute(attribute:"synopsis", value:
"The remote openSUSE host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"This update for cacti, cacti-spine fixes the following issues :

cacti-spine was updated to version 1.2.9.

Security issues fixed :

  - CVE-2009-4112: Fixed a privilege escalation
    (bsc#1122535).

  - CVE-2018-20723: Fixed a cross-site scripting (XSS)
    vulnerability (bsc#1122245).

  - CVE-2018-20724: Fixed a cross-site scripting (XSS)
    vulnerability (bsc#1122244).

  - CVE-2018-20725: Fixed a privilege escalation that could
    occur under certain conditions (bsc#1122535).

  - CVE-2018-20726: Fixed a cross-site scripting (XSS)
    vulnerability (bsc#1122242).

  - CVE-2019-16723: Fixed an authentication bypass
    vulnerability.

  - CVE-2019-17357: Fixed a SQL injection vulnerability
    (bsc#1158990).

  - CVE-2019-17358: Fixed an unsafe deserialization in
    sanitize_unserialize_selected_items (bsc#1158992).

  - CVE-2020-7106: Fixed a potential cross-site scripting
    (XSS) vulnerability (bsc#1163749).

  - CVE-2020-7237: Fixed a remote code execution that
    affected privileged users via shell metacharacters in
    the Performance Boost Debug Log field (bsc#1161297).

Non-security issues fixed :

  - Fixed missing packages php-json, php-ctype, and php-gd
    in cacti.spec (boo#1101024).

  - Fixed Apache2.4 and Apache2.2 runtime configuration
    issue (boo#1101139).");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082318");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1101024");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1101139");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1122242");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1122243");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1122244");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1122245");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1122535");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1158990");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1158992");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1161297");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1163749");
  script_set_attribute(attribute:"see_also", value:"https://features.opensuse.org/326485");
  script_set_attribute(attribute:"solution", value:
"Update the affected cacti / cacti-spine packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-7237");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(264);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/03/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cacti");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cacti-spine");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cacti-spine-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cacti-spine-debugsource");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE15.1", reference:"cacti-1.2.9-lp151.3.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"cacti-spine-1.2.9-lp151.3.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"cacti-spine-debuginfo-1.2.9-lp151.3.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"cacti-spine-debugsource-1.2.9-lp151.3.3.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cacti-spine / cacti-spine-debuginfo / cacti-spine-debugsource / etc");
}
VendorProductVersionCPE
novellopensusecactip-cpe:/a:novell:opensuse:cacti
novellopensusecacti-spinep-cpe:/a:novell:opensuse:cacti-spine
novellopensusecacti-spine-debuginfop-cpe:/a:novell:opensuse:cacti-spine-debuginfo
novellopensusecacti-spine-debugsourcep-cpe:/a:novell:opensuse:cacti-spine-debugsource
novellopensuse15.1cpe:/o:novell:opensuse:15.1

References

Related

suse 5
openvas 30
nessus 17
gentoo 1
fedora 11
debian 5
freebsd 4
debiancve 11
cvelist 11
cve 11
ubuntucve 11
osv 15
nvd 11
prion 11
redhatcve 1
alpinelinux 3
securityvulns 2
seebug 1
suse
suse
Security update for cacti, cacti-spine (important)
2020-03-02 00:00:00
Security update for cacti, cacti-spine (important)
2020-03-01 00:00:00
Security update for cacti, cacti-spine (important)
2020-04-30 00:00:00
openvas
openvas
openSUSE: Security Advisory for cacti, (openSUSE-SU-2020:0272-1)
2020-03-02 00:00:00
openSUSE: Security Advisory for cacti, (openSUSE-SU-2020:0558-1)
2020-04-28 00:00:00
Fedora: Security Advisory for cacti (FEDORA-2020-90f1c8229e)
2020-02-19 00:00:00
nessus
nessus
openSUSE Security Update : cacti / cacti-spine (openSUSE-2020-558)
2020-04-29 00:00:00
GLSA-202003-40 : Cacti: Multiple vulnerabilities
2020-03-20 00:00:00
Debian DSA-4604-1 : cacti - security update
2020-01-21 00:00:00
gentoo
gentoo
Cacti: Multiple vulnerabilities
2020-03-19 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: cacti-1.2.10-1.fc30
2020-03-09 20:55:23
[SECURITY] Fedora 30 Update: cacti-1.2.9-1.fc30
2020-02-19 01:28:38
[SECURITY] Fedora 31 Update: cacti-1.2.9-1.fc31
2020-02-19 01:54:46
debian
debian
[SECURITY] [DSA 4604-1] cacti security update
2020-01-19 21:49:03
[SECURITY] [DLA 2032-1] cacti security update
2019-12-11 11:51:25
[SECURITY] [DLA 2069-1] cacti security update
2020-01-18 14:01:07
freebsd
freebsd
cacti -- multiple vulnerabilities
2019-10-12 00:00:00
cacti -- multiple vulnerabilities
2020-02-04 00:00:00
cacti -- Authenticated users may bypass authorization checks
2019-09-23 00:00:00
debiancve
debiancve
CVE-2019-17357
2020-01-21 19:15:13
CVE-2018-20724
2019-01-16 16:29:00
CVE-2018-20723
2019-01-16 16:29:00
cvelist
cvelist
CVE-2019-17357
2020-01-21 18:35:44
CVE-2018-20724
2019-01-16 16:00:00
CVE-2019-16723
2019-09-23 14:24:47
cve
cve
CVE-2018-20724
2019-01-16 16:29:00
CVE-2019-17357
2020-01-21 19:15:13
CVE-2018-20723
2019-01-16 16:29:00
ubuntucve
ubuntucve
CVE-2019-17357
2020-01-21 00:00:00
CVE-2018-20724
2019-01-16 00:00:00
CVE-2018-20723
2019-01-16 00:00:00
osv
osv
CVE-2019-17357
2020-01-21 19:15:13
CVE-2018-20723
2019-01-16 16:29:00
CVE-2018-20724
2019-01-16 16:29:00
nvd
nvd
CVE-2018-20724
2019-01-16 16:29:00
CVE-2018-20723
2019-01-16 16:29:00
CVE-2018-20725
2019-01-16 16:29:00
prion
prion
Cross site request forgery (csrf)
2020-01-21 19:15:00
Cross site scripting
2019-01-16 16:29:00
Cross site scripting
2019-01-16 16:29:00
redhatcve
redhatcve
CVE-2019-16723
2022-05-21 00:20:01
alpinelinux
alpinelinux
CVE-2020-7237
2020-01-20 05:15:11
CVE-2019-17358
2019-12-12 14:15:16
CVE-2020-7106
2020-01-16 04:15:11
securityvulns
securityvulns
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2009-12-16 00:00:00
[SECURITY] [DSA 1954-1] New cacti packages fix insufficient input sanitising
2009-12-16 00:00:00
seebug
seebug
New cacti packages fix insufficient input sanitising
2009-12-17 00:00:00

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

0.105 Low

EPSS

Percentile

95.0%

JSON
Related for OPENSUSE-2020-272.NASL
suse5openvas30nessus17gentoo1fedora11debian5freebsd4debiancve11cvelist11cve11ubuntucve11osv15nvd11prion11redhatcve1alpinelinux3securityvulns2seebug1