Summary
Updates have been released that resolve 6 vulnerabilities, including one with a “critical” severity and one with a “high” severity, in Cacti, a well-known open-source web tool that allows the visualization of graphs for monitoring networks. These vulnerabilities, if exploited, could allow a remote attacker to bypass security mechanisms, execute arbitrary code, and gain arbitrary read/write access to files on target systems.
Note: Proof of Concept (PoC) for the exploitation of all vulnerabilities are available online.
Risk
Vulnerability impact estimate on the target community: Critical (78.33)
Type
- Remote Code Execution
- Arbitrary File Write/Read
- Security Restrictions Bypass
Affected products and/or versions
- Cacti 1.2.x, versions prior to 1.2.29
Mitigation actions
It is recommended to update vulnerable products following the indications of the security bulletins reported in the References section.
References
https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36
https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq
https://github.com/Cacti/cacti/security/advisories/GHSA-fh3x-69rr-qqpp
https://github.com/Cacti/cacti/security/advisories/GHSA-vj9g-p7f2-4wqj
https://github.com/Cacti/cacti/security/advisories/GHSA-f9c7-7rc3-574c
https://github.com/Cacti/cacti/security/advisories/GHSA-pv2c-97pp-vxwg
https://github.com/Cacti/cacti/security
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
