CVE-2024-25641

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
http://seclists.org/fulldisclosure/2024/May/6
https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/

Configurations

No configuration.

History

No history.

Information

Published : 2024-05-14 15:05

Updated : 2024-06-10 17:16

NVD link : CVE-2024-25641

Mitre link : CVE-2024-25641

CVE.ORG link : CVE-2024-25641

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2024-25641", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2024-05-14T15:05:50.423", "references": [{"url": "http://seclists.org/fulldisclosure/2024/May/6", "source": "security-advisories@github.com"}, {"url": "https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210", "source": "security-advisories@github.com"}, {"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the \"Package Import\" feature, allows authenticated users having the \"Import Templates\" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue."}, {"lang": "es", "value": "Cacti proporciona un framework de monitoreo operativo y gesti\u00f3n de fallas. Antes de la versi\u00f3n 1.2.27, una vulnerabilidad de escritura de archivos arbitrarios, explotable a trav\u00e9s de la funci\u00f3n \"Importar paquetes\", permit\u00eda a los usuarios autenticados que ten\u00edan el permiso \"Importar plantillas\" ejecutar c\u00f3digo PHP arbitrario en el servidor web. La vulnerabilidad se encuentra dentro de la funci\u00f3n `import_package()` definida en el script `/lib/import.php`. La funci\u00f3n conf\u00eda ciegamente en el nombre del archivo y el contenido del archivo proporcionado dentro de los datos XML, y escribe dichos archivos en la ruta base de Cacti (o incluso fuera, ya que las secuencias de Path Traversal no se filtran). Esto puede aprovecharse para escribir o sobrescribir archivos arbitrarios en el servidor web, lo que lleva a la ejecuci\u00f3n de c\u00f3digo PHP arbitrario u otros impactos en la seguridad. La versi\u00f3n 1.2.27 contiene un parche para este problema."}], "lastModified": "2024-06-10T17:16:21.837", "sourceIdentifier": "security-advisories@github.com"}