CVE-2024-31445 — SQL Injection in Cacti

CWE-89 — SQL Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

39.5%

top 2.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Fedoraproject Fedora

Timeline

PublishedMay 14

Latest updateAug 20

Description

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5cacti/cacti< 1.2.27

▶NVDcacti/cacti< 1.2.27

▶Debiancacti/cacti< 1.2.16+ds1-2+deb11u4+3

Also affects: Fedora 39

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-31445: Cacti provides an operational monitoring and fault management framework↗2024-05-14

▶

CVEList

SQL Injection vulnerability in automation_get_new_graphs_sql↗2024-05-13

▶

📋Vendor Advisories

Ubuntu

Cacti vulnerabilities↗2024-08-20

▶

Debian

CVE-2024-31445: cacti - Cacti provides an operational monitoring and fault management framework. Prior t...↗2024

▶