10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.4 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
29.1%
Cacti provides an operational monitoring and fault management framework. A
command injection vulnerability on the 1.3.x DEV branch allows any
unauthenticated user to execute arbitrary command on the server when
register_argc_argv
option of PHP is On
. In cmd_realtime.php
line 119,
the $poller_id
used as part of the command execution is sourced from
$_SERVER['argv']
, which can be controlled by URL when
register_argc_argv
option of PHP is On
. And this option is On
by
default in many environments such as the main PHP Docker image for PHP.
Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the
issue, but this commit was reverted in commit
99633903cad0de5ace636249de16f77e57a3c8fc.
github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119
github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d
github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m
launchpad.net/bugs/cve/CVE-2024-29895
nvd.nist.gov/vuln/detail/CVE-2024-29895
security-tracker.debian.org/tracker/CVE-2024-29895
www.cve.org/CVERecord?id=CVE-2024-29895
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.4 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
29.1%