QwikSec

Security Database

CVE

CWE

Training

CVE-2024-29895

Published: May 13, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

10.0

CRITICAL

Description

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

Vendor	Product	Versions
Cacti	cacti	affected `= 1.3.x DEV`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m

x_refsource_CONFIRM

https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d

x_refsource_MISC

https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc

x_refsource_MISC

https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.