FKIE_CVE-2024-29895

Vulnerability from fkie_nvd - Published: 2024-05-14 15:17 - Updated: 2024-11-21 09:08
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
References
security-advisories@github.comhttps://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119
security-advisories@github.comhttps://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d
security-advisories@github.comhttps://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
security-advisories@github.comhttps://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m
af854a3a-2127-422b-91ae-364da2661108https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119
af854a3a-2127-422b-91ae-364da2661108https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d
af854a3a-2127-422b-91ae-364da2661108https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
af854a3a-2127-422b-91ae-364da2661108https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER[\u0027argv\u0027]`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc."
    },
    {
      "lang": "es",
      "value": "Cacti proporciona un framework de monitoreo operativo y gesti\u00f3n de fallas. Una vulnerabilidad de inyecci\u00f3n de comandos en la rama DEV 1.3.x permite que cualquier usuario no autenticado ejecute comandos arbitrarios en el servidor cuando la opci\u00f3n `register_argc_argv` de PHP est\u00e1 `activada`. En la l\u00ednea 119 de `cmd_realtime.php`, el `$poller_id` usado como parte de la ejecuci\u00f3n del comando proviene de `$_SERVER[\u0027argv\u0027]`, que puede controlarse mediante URL cuando la opci\u00f3n `register_argc_argv` de PHP est\u00e1 activada. `. Y esta opci\u00f3n est\u00e1 \"activada\" de forma predeterminada en muchos entornos, como la imagen principal de PHP Docker para PHP. el commit 53e8014d1f082034e0646edc6286cde3800c683d contiene un parche para el problema, pero este commit se revirti\u00f3 en el commit 99633903cad0de5ace636249de16f77e57a3c8fc."
    }
  ],
  "id": "CVE-2024-29895",
  "lastModified": "2024-11-21T09:08:34.137",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-14T15:17:15.593",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.