[Pkg-cacti-maint] Bug#1094574: cacti: CVE-2024-45598 CVE-2024-54145 CVE-2024-54146 CVE-2025-22604 CVE-2025-24367 CVE-2025-24368
Salvatore Bonaccorso
carnil at debian.org
Tue Jan 28 21:37:25 GMT 2025
Source: cacti
Version: 1.2.28+ds1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for cacti.
CVE-2024-45598[0]:
| Cacti is an open source performance and fault management framework.
| Prior to 1.2.29, an administrator can change the `Poller Standard
| Error Log Path` parameter in either Installation Step 5 or in
| Configuration->Settings->Paths tab to a local file inside the
| server. Then simply going to Logs tab and selecting the name of the
| local file will show its content on the web UI. This vulnerability
| is fixed in 1.2.29.
CVE-2024-54145[1]:
| Cacti is an open source performance and fault management framework.
| Cacti has a SQL injection vulnerability in the get_discovery_results
| function of automation_devices.php using the network parameter. This
| vulnerability is fixed in 1.2.29.
CVE-2024-54146[2]:
| Cacti is an open source performance and fault management framework.
| Cacti has a SQL injection vulnerability in the template function of
| host_templates.php using the graph_template parameter. This
| vulnerability is fixed in 1.2.29.
CVE-2025-22604[3]:
| Cacti is an open source performance and fault management framework.
| Due to a flaw in multi-line SNMP result parser, authenticated users
| can inject malformed OIDs in the response. When processed by
| ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each
| OID will be used as a key in an array that is used as part of a
| system command, causing a command execution vulnerability. This
| vulnerability is fixed in 1.2.29.
CVE-2025-24367[4]:
| Cacti is an open source performance and fault management framework.
| An authenticated Cacti user can abuse graph creation and graph
| template functionality to create arbitrary PHP scripts in the web
| root of the application, leading to remote code execution on the
| server. This vulnerability is fixed in 1.2.29.
CVE-2025-24368[5]:
| Cacti is an open source performance and fault management framework.
| Some of the data stored in automation_tree_rules.php is not
| thoroughly checked and is used to concatenate the SQL statement in
| build_rule_item_filter() function from lib/api_automation.php,
| resulting in SQL injection. This vulnerability is fixed in 1.2.29.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Commits are found in the security-tracker references directly.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45598
https://www.cve.org/CVERecord?id=CVE-2024-45598
[1] https://security-tracker.debian.org/tracker/CVE-2024-54145
https://www.cve.org/CVERecord?id=CVE-2024-54145
[2] https://security-tracker.debian.org/tracker/CVE-2024-54146
https://www.cve.org/CVERecord?id=CVE-2024-54146
[3] https://security-tracker.debian.org/tracker/CVE-2025-22604
https://www.cve.org/CVERecord?id=CVE-2025-22604
[4] https://security-tracker.debian.org/tracker/CVE-2025-24367
https://www.cve.org/CVERecord?id=CVE-2025-24367
[5] https://security-tracker.debian.org/tracker/CVE-2025-24368
https://www.cve.org/CVERecord?id=CVE-2025-24368
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-cacti-maint
mailing list