CVE-2020-7237

Name
CVE-2020-7237
Description
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://github.com/Cacti/cacti/issues/3201
Third Party Advisory https://ctrsec.io/index.php/2020/01/25/cve-2020-7237-remote-code-execution-in-cacti-rrdtool/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUSOTOIEJKD2IWJHN7TY56TDZJQZJUVJ/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLZAMGTW2OSIBLYLXWHQBGWP7M4DTRS7/
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html
GENTOO https://security.gentoo.org/glsa/202003-40
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cacti:cacti:1.2.8:*:*:*:*:*:*:* cacti == None == 1.2.8

Vulnerable and fixed packages

Source package Branch Version Maintainer Status