CVE-2019-17358 — Deserialization of Untrusted Data in Cacti

CWE-502 — Deserialization of Untrusted Data CWE-787 — Out-of-bounds Write7 documents5 sources

Severity

8.1HIGHNVD

EPSS

2.3%

top 15.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti Debian Linux +1 more

Timeline

PublishedDec 12

Latest updateMay 24

Description

Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

▶debiandebian/cacti< cacti 1.2.8+ds1-1 (bookworm)

▶Debiancacti/cacti< 1.2.8+ds1-1+3

▶NVDcacti/cacti1.2.7

▶NVDopensuse/leap42.3

Also affects: Debian Linux 8.0

🔴Vulnerability Details

GHSA

GHSA-7mqg-g2q4-78m2: Cacti through 1↗2022-05-24

▶

OSV

CVE-2019-17358: Cacti through 1↗2019-12-12

▶

📋Vendor Advisories

Debian

CVE-2019-17358: cacti - Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsaf...↗2019

▶

💬Community

Bugzilla

CVE-2019-17358 cacti: unsafe deserialization of user-controlled data [fedora-all]↗2019-12-26

▶

Bugzilla

CVE-2019-17358 cacti: unsafe deserialization of user-controlled data [epel-all]↗2019-12-26

▶

Bugzilla

CVE-2019-17358 cacti: unsafe deserialization of user-controlled data↗2019-12-26

▶