cacti - security update

2015-07-2000:00:00

Google

osv.dev

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

78.8%

JSON

Several SQL injection vulnerabilities were discovered in cacti, a
frontend to rrdtool for monitoring systems and service:

CVE-2015-4634
SQL injection vulnerability in Cacti before 0.8.8e allows remote
attackers to execute arbitrary SQL commands in graphs.php

Currently unknown or unassigned CVE’s
SQL injection vulnerability in Cacti before 0.8.8e allows remote
attackers to execute arbitrary SQL commands in cdef.php, color.php,
data_input.php, data_queries.php, data_sources.php,
data_templates.php, gprint_presets.php, graph_templates.php,
graph_templates_items.php, graphs_items.php, host.php,
host_templates.php, lib/functions.php, rra.php, tree.php and
user_admin.php

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 0.8.7g-1+squeeze7.

CPENameOperatorVersion
cactieq0.8.7g-1
cactieq0.8.7g-1+squeeze1
cactieq0.8.7g-1+squeeze2
cactieq0.8.7g-1+squeeze3
cactieq0.8.7g-1+squeeze4
cactieq0.8.7g-1+squeeze5
cactieq0.8.7g-1+squeeze6

Name	Operator	Version
cacti	eq	0.8.7g-1
cacti	eq	0.8.7g-1+squeeze1
cacti	eq	0.8.7g-1+squeeze2
cacti	eq	0.8.7g-1+squeeze3
cacti	eq	0.8.7g-1+squeeze4
cacti	eq	0.8.7g-1+squeeze5
cacti	eq	0.8.7g-1+squeeze6