cacti - Debian Package Tracker

general

source: cacti (main)
version: 1.2.28+ds1-2
maintainer: Cacti Maintainer (archive) (DMD)
uploaders: Paul Gevers [DMD]
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.2.2+ds1-2+deb10u4
o-o-sec: 1.2.2+ds1-2+deb10u6
oldstable: 1.2.16+ds1-2+deb11u3
old-sec: 1.2.16+ds1-2+deb11u4
stable: 1.2.24+ds1-1+deb12u4
stable-sec: 1.2.24+ds1-1+deb12u2
testing: 1.2.28+ds1-2
unstable: 1.2.28+ds1-2

versioned links

1.2.2+ds1-2+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.2+ds1-2+deb10u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.16+ds1-2+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.16+ds1-2+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.24+ds1-1+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.24+ds1-1+deb12u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.28+ds1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cacti (4 bugs: 0, 3, 1, 0)

action needed

6 security issues in bullseye high

There are 6 open security issues in bullseye.

4 important issues:

CVE-2024-43362: Cacti is an open source performance and fault management framework. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `fileurl` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this issue.
CVE-2024-43363: Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-43364: Cacti is an open source performance and fault management framework. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `title` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-43365: Cacti is an open source performance and fault management framework. The`consolenewsection` parameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user in `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the “consolenewsection” parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.

1 issue postponed or untriaged:

CVE-2023-46490: (needs triaging) SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.

1 ignored issue:

CVE-2023-30534: Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Created: 2024-10-08 Last update: 2024-10-14 12:00

7 security issues in bookworm high

There are 7 open security issues in bookworm.

4 important issues:

CVE-2024-43362: Cacti is an open source performance and fault management framework. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `fileurl` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this issue.
CVE-2024-43363: Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-43364: Cacti is an open source performance and fault management framework. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `title` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-43365: Cacti is an open source performance and fault management framework. The`consolenewsection` parameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user in `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the “consolenewsection” parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.

2 issues left for the package maintainer to handle:

CVE-2023-46490: (needs triaging) SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.
CVE-2024-27082: (needs triaging) Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2023-30534: Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Created: 2023-08-17 Last update: 2024-10-14 12:00

12 security issues in buster high

There are 12 open security issues in buster.

10 important issues:

CVE-2024-25641: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
CVE-2024-27082: Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue.
CVE-2024-29894: Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue.
CVE-2024-31443: Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
CVE-2024-31444: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
CVE-2024-31445: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.
CVE-2024-31458: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue.
CVE-2024-31459: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.
CVE-2024-31460: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue.
CVE-2024-34340: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue.

2 ignored issues:

CVE-2023-30534: Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-37543: Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.

Created: 2024-05-14 Last update: 2024-06-29 13:15

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2024-02-25 Last update: 2024-12-03 17:30

Depends on packages which need a new maintainer normal

The packages that cacti depends on which need a new maintainer are:

dh-linktree (#980413)
- Build-Depends: dh-linktree

Created: 2021-01-18 Last update: 2024-12-03 16:33

lintian reports 5 warnings normal

Lintian reports 5 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-10-11 Last update: 2024-10-11 23:00

debian/patches: 5 patches to forward upstream low

Among the 8 debian patches available in version 1.2.28+ds1-2 of the package, we noticed the following issues:

5 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-10-12 20:34

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.0 instead of 4.6.1).

Created: 2022-12-17 Last update: 2024-10-12 19:05

news

[rss feed]

[2024-10-14] cacti 1.2.28+ds1-2 MIGRATED to testing (Debian testing watch)
[2024-10-12] Accepted cacti 1.2.28+ds1-2 (source) into unstable (Paul Gevers)
[2024-10-11] Accepted cacti 1.2.28+ds1-1 (source) into unstable (Paul Gevers)
[2024-09-09] Accepted cacti 1.2.16+ds1-2+deb11u4 (source) into oldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-08-25] Accepted cacti 1.2.24+ds1-1+deb12u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2024-08-23] Accepted cacti 1.2.24+ds1-1+deb12u3 (source) into proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2024-05-20] cacti 1.2.27+ds1-2 MIGRATED to testing (Debian testing watch)
[2024-05-20] cacti 1.2.27+ds1-2 MIGRATED to testing (Debian testing watch)
[2024-05-17] Accepted cacti 1.2.27+ds1-2 (source) into unstable (Paul Gevers)
[2024-05-16] Accepted cacti 1.2.27+ds1-1 (source) into unstable (Paul Gevers)
[2024-03-25] Accepted cacti 1.2.16+ds1-2+deb11u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sylvain Beucler)
[2024-03-24] Accepted cacti 1.2.24+ds1-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Sylvain Beucler)
[2024-03-24] Accepted cacti 1.2.24+ds1-1+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Sylvain Beucler)
[2024-03-24] Accepted cacti 1.2.16+ds1-2+deb11u3 (source) into oldstable-security (Debian FTP Masters) (signed by: Sylvain Beucler)
[2024-03-18] Accepted cacti 1.2.2+ds1-2+deb10u6 (source) into oldoldstable (Sylvain Beucler)
[2023-12-28] cacti 1.2.26+ds1-1 MIGRATED to testing (Debian testing watch)
[2023-12-25] Accepted cacti 1.2.26+ds1-1 (source) into unstable (Paul Gevers)
[2023-11-12] Accepted cacti 1.2.24+ds1-1+deb12u1 (source all) into proposed-updates (Debian FTP Masters) (signed by: Paul Gevers)
[2023-11-12] Accepted cacti 1.2.16+ds1-2+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Paul Gevers)
[2023-11-08] Accepted cacti 1.2.16+ds1-2+deb11u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Paul Gevers)
[2023-11-08] Accepted cacti 1.2.24+ds1-1+deb12u1 (source all) into stable-security (Debian FTP Masters) (signed by: Paul Gevers)
[2023-09-23] cacti 1.2.25+ds1-2 MIGRATED to testing (Debian testing watch)
[2023-09-23] cacti 1.2.25+ds1-2 MIGRATED to testing (Debian testing watch)
[2023-09-21] Accepted cacti 1.2.25+ds1-2 (source) into unstable (Paul Gevers)
[2023-09-09] cacti 1.2.25+ds1-1 MIGRATED to testing (Debian testing watch)
[2023-09-09] cacti 1.2.25+ds1-1 MIGRATED to testing (Debian testing watch)
[2023-09-06] Accepted cacti 1.2.25+ds1-1 (source) into unstable (Paul Gevers)
[2023-03-12] cacti 1.2.24+ds1-1 MIGRATED to testing (Debian testing watch)
[2023-03-02] Accepted cacti 1.2.24+ds1-1 (source) into unstable (Paul Gevers)
[2023-01-21] cacti 1.2.23+ds1-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 4
RC: 0
I&N: 3
M&W: 1
F&P: 0
patch: 1

links

homepage
lintian (0, 5)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (93, 96)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.28+ds1-2
7 bugs