[Pkg-cacti-maint] Bug#1079353: bookworm-pu: package cacti/1.2.24+ds1-1+deb12u3

Bastien Roucariès rouca at debian.org
Thu Aug 22 16:38:54 BST 2024 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: cacti at packages.debian.org
Control: affects -1 + src:cacti
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
Security upload. Except CVE-2024-27082 that need
coordination with other packages.

[ Impact ]
CVEs are not closed including RCE

[ Tests ]
Automated test and manual test of the application by myself and others, including users.

[ Risks ]
Low

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
  * Fix CVE-2024-25641: RCE vulnerability when importing packages
    An arbitrary file write vulnerability, exploitable through the
    "Package Import" feature, allows authenticated users having
    the "Import Templates" permission to execute arbitrary PHP
    code on the web server (RCE).
  * Fix CVE-2024-29894: XSS vulnerability when using JavaScript
    based messaging API.
    raise_message_javascript from lib/functions.php now uses purify.js
    to fix CVE-2023-50250 (among others).
    However it still generates the code out of unescaped
    PHP variables $title and $header.
    If those variables contain single quotes, they can be used
    to inject JavaScript code.
  * Fix CVE-2024-31443. XSS vulnerability when managing data queries
    Some of the data stored in form_save() function in data_queries.php
    is not thoroughly checked and is used to concatenate the
    HTML statement in grow_right_pane_tree() function from lib/html.php,
    finally resulting in XSS.
  * Fix CVE-2024-31444: XSS vulnerability when reading tree rules with
    Automation API.
    Some of the data stored in automation_tree_rules_form_save() function
    in automation_tree_rules.php is not thoroughly checked and is used
    to concatenate the HTML statement in form_confirm() function from
    lib/html.php , finally resulting in XSS.
  * Fix CVE-2024-31445: SQL injection vulnerability
    A SQL injection vulnerability in `automation_get_new_graphs_sql`
    function of `api_automation.php` allows authenticated users to exploit
    these SQL injection vulnerabilities to perform privilege escalation
    and remote code execution. In `api_automation.php` line 856, the
    `get_request_var('filter')` is being concatenated into the SQL
    statement without any sanitization. In `api_automation.php` line 717,
    The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no
    filter for it
  * Fix CVE-2024-31458: SQL injection vulnerability
    Some of the data stored in `form_save()` function in
    `graph_template_inputs.php` is not thoroughly checked and is used to
    concatenate the SQL statement in
    `draw_nontemplated_fields_graph_item()` function from
    `lib/html_form_templates.php` , finally resulting in SQL injection
  * Fix CVE-2024-31459: Remote code execution
    There is a file inclusion issue in the lib/plugin.php file.
    Combined with SQL injection vulnerabilities, RCE can be implemented.
  * Fix CVE-2024-31460: SQL code injection
    Some of the data stored in `automation_tree_rules.php` is not
    thoroughly checked and is used to concatenate the SQL statement in
    `create_all_header_nodes()` function from `lib/api_automation.php` ,
    finally resulting in SQL injection. Using SQL based secondary
    injection technology, attackers can modify the contents of the Cacti
    database, and based on the modified content, it may be possible to
    achieve further impact, such as arbitrary file reading, and even
    remote code execution through arbitrary file writing
  * Fix CVE-2024-34340: type juggling vulnerability
    Cacti calls `compat_password_hash` when users set their
    password. `compat_password_hash` use `password_hash` if there is it,
    else use `md5`. When verifying password, it calls
    `compat_password_verify`. In `compat_password_verify`,
    `password_verify` is called if there is it, else use
    `md5`. `password_verify` and `password_hash` are supported on PHP <
    5.5.0, following PHP manual. The vulnerability is in
    `compat_password_verify`. Md5-hashed user input is compared with
    correct password in database by `$md5 == $hash`. It is a loose
    comparison, not `===`.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-cacti-maint/attachments/20240822/36b8f493/attachment.sig>

More information about the Pkg-cacti-maint mailing list