CVE-2024-34340 — Improper Authentication in Cacti

CWE-287 — Improper Authentication CWE-697 — Incorrect Comparison5 documents5 sources

Severity

9.1CRITICALNVD

EPSS

0.8%

top 25.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Fedoraproject Fedora

Timeline

PublishedMay 14

Latest updateAug 20

Description

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is i…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5cacti/cacti< 1.2.27

▶NVDcacti/cacti< 1.2.27

▶Debiancacti/cacti< 1.2.16+ds1-2+deb11u4+3

Also affects: Fedora 39

🔴Vulnerability Details

OSV

CVE-2024-34340: Cacti provides an operational monitoring and fault management framework↗2024-05-14

▶

CVEList

Authentication Bypass when using using older password hashes↗2024-05-13

▶

📋Vendor Advisories

Ubuntu

Cacti vulnerabilities↗2024-08-20

▶

Debian

CVE-2024-34340: cacti - Cacti provides an operational monitoring and fault management framework. Prior t...↗2024

▶