CVE-2020-13230 — Improper Preservation of Permissions in Cacti

CWE-281 — Improper Preservation of Permissions9 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.8%

top 25.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti Debian Linux +1 more

Timeline

PublishedMay 20

Latest updateJun 9

Description

In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDcacti/cacti< 1.2.11

▶debiandebian/cacti< cacti 1.2.11+ds1-1 (bookworm)

▶Debiancacti/cacti< 1.2.11+ds1-1+3

▶Ubuntucacti/cacti< 0.8.8f+ds1-4ubuntu4.16.04.2+esm1+2

Also affects: Debian Linux 9.0, Fedora 31, 32

🔴Vulnerability Details

OSV

cacti vulnerabilities↗2022-06-09

▶

GHSA

GHSA-pqfc-vh74-fmv2: In Cacti before 1↗2022-05-24

▶

OSV

CVE-2020-13230: In Cacti before 1↗2020-05-20

▶

📋Vendor Advisories

Ubuntu

Cacti vulnerabilities↗2022-06-09

▶

Debian

CVE-2020-13230: cacti - In Cacti before 1.2.11, disabling a user account does not immediately invalidate...↗2020

▶

💬Community

Bugzilla

CVE-2020-13230 cacti: improper access control on disabling a user [fedora-all]↗2020-05-26

▶

Bugzilla

CVE-2020-13230 cacti: improper access control on disabling a user [epel-all]↗2020-05-26

▶

Bugzilla

CVE-2020-13230 cacti: improper access control on disabling a user↗2020-05-26

▶