[Pkg-cacti-maint] Bug#951832: cacti: CVE-2020-8813
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 22 09:16:03 GMT 2020
Source: cacti
Version: 1.2.9+ds1-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for cacti.
CVE-2020-8813[0]:
| graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute
| arbitrary OS commands via shell metacharacters in a cookie, if a guest
| user has the graph real-time privilege.
Is said to the reporter that upstream is aware and did already fix it,
do you have reference to the upstream commit?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-8813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8813
[1] https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129
[2] https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-cacti-maint
mailing list