CVE-2019-17358

Name
CVE-2019-17358
Description
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17358.html
Exploit https://github.com/Cacti/cacti/blob/79f29cddb5eb05cbaff486cd634285ef1fed9326/lib/functions.php#L3109
Issue Tracking https://github.com/Cacti/cacti/issues/3026
Mailing List https://lists.debian.org/debian-lts-announce/2019/12/msg00014.html
Product https://github.com/Cacti/cacti/commit/adf221344359f5b02b8aed43dfb6b33ae5d708c8
Not Applicable https://www.darkmatter.ae/xen1thlabs/
Issue Tracking https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-17358
DEBIAN https://www.debian.org/security/2020/dsa-4604
BUGTRAQ https://seclists.org/bugtraq/2020/Jan/25
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html
GENTOO https://security.gentoo.org/glsa/202003-40
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:* cacti >= None <= 1.2.7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status