CVE-2023-39361
published 2023-09-05CVE-2023-39361: Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.58%
99.7th percentile
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | < 1.2.25 | 1.2.25 |
| cacti | cacti | — | — |
| cacti | cacti | >= 0 < 1.2.16+ds1-2+deb11u2 | 1.2.16+ds1-2+deb11u2 |
| cacti | cacti | >= 0 < 1.2.24+ds1-1+deb12u1 | 1.2.24+ds1-1+deb12u1 |
| cacti | cacti | >= 0 < 1.2.25+ds1-1 | 1.2.25+ds1-1 |
| cacti | cacti | >= 0 < 1.2.25+ds1-1 | 1.2.25+ds1-1 |
| debian | cacti | < cacti 1.2.24+ds1-1+deb12u1 (bookworm) | cacti 1.2.24+ds1-1+deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=%22or+%22%22%3D%22%28%28%22%29%29%3BSELECT+SLEEP%2810%29%3B--+-
- →Detect time-based blind SQL injection attempts against graph_view.php via the rfilter parameter; look for URL-encoded payloads containing SLEEP() or similar time-delay functions in the rfilter query parameter.
- →Unauthenticated exploitation is possible when guest users are enabled; monitor for requests to graph_view.php from unauthenticated sessions (no valid session cookie) carrying SQL metacharacters in the rfilter parameter. ↗
- →Use response timing as a detection signal: a successful time-based SQLi payload will cause the server response to be delayed by the injected SLEEP duration (e.g., ≥10 seconds).
- →Shodan/FOFA fingerprinting for exposed Cacti instances can be performed using the favicon hash -1797138069 or page titles 'Login to Cacti' / 'cacti'.
- ·Exploitation without authentication requires guest user accounts to be enabled in Cacti; if guest users are disabled, the attack surface is reduced to authenticated users only. ↗
- ·The vulnerability is fixed in Cacti version 1.2.25; instances running 1.2.24 and earlier are affected. There are no known workarounds — upgrade is the only remediation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-39361: Cacti is an open source operational monitoring and fault management framework
osv·2023-09-05·CVSS 9.8
CVE-2023-39361 [CRITICAL] CVE-2023-39361: Cacti is an open source operational monitoring and fault management framework
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Ubuntu
Cacti vulnerability
vendor_ubuntu·2024-04-02
CVE-2023-39361 Cacti vulnerability
Title: Cacti vulnerability
Summary: Cacti could be made to crash if it received specially crafted
input.
Kentaro Kawane discovered that Cacti incorrectly handled user provided
input sent through request parameters to the graph_view.php script.
A remote authenticated attacker could use this issue to perform
SQL injection attacks.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-39361: cacti - Cacti is an open source operational monitoring and fault management framework. A...
vendor_debian·2023·CVSS 9.8
CVE-2023-39361 [CRITICAL] CVE-2023-39361: cacti - Cacti is an open source operational monitoring and fault management framework. A...
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Scope: local
bookworm: resolved (fixed in 1.2.24+ds1-1+deb12u1)
bullseye: resolved (fixed in 1.2.16+ds1-2+deb11u2)
forky: resolved (fixed in 1.2.25+ds1-1)
sid
No detection rules found.
Nuclei
Cacti 1.2.24 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-39361 [CRITICAL] Cacti 1.2.24 - SQL Injection
Cacti 1.2.24 - SQL Injection
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Template:
id: CVE-2023-39361
info:
name: Cacti 1.2.24 - SQL Injection
author: ritikchaddha
severity: critical
description: |
No writeups or analysis indexed.
https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrghttps://lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/https://lists.fedoraproject.org/archives/list/[email protected]/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/https://lists.fedoraproject.org/archives/list/[email protected]/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/https://www.debian.org/security/2023/dsa-5550https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrghttps://lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/https://lists.fedoraproject.org/archives/list/[email protected]/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/https://lists.fedoraproject.org/archives/list/[email protected]/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/https://www.debian.org/security/2023/dsa-5550
2023-09-05
Published