Security update for cacti, cacti-spine SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0565-1 Final 1 1 2020-04-30T15:35:25Z current 2020-04-30T15:35:25Z 2020-04-30T15:35:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cacti, cacti-spine This update for cacti, cacti-spine to version 1.2.11 fixes the following issues: This update is fixing multiple vulnerabilities and adding bug fixes. For more details consult the changes file. This update was imported from the openSUSE:Leap:15.1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-565 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ E-Mail link for openSUSE-SU-2020:0565-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1082318 SUSE Bug 1082318 https://bugzilla.suse.com/1122242 SUSE Bug 1122242 https://bugzilla.suse.com/1122243 SUSE Bug 1122243 https://bugzilla.suse.com/1122244 SUSE Bug 1122244 https://bugzilla.suse.com/1122245 SUSE Bug 1122245 https://bugzilla.suse.com/1122535 SUSE Bug 1122535 https://bugzilla.suse.com/1158990 SUSE Bug 1158990 https://bugzilla.suse.com/1158992 SUSE Bug 1158992 https://bugzilla.suse.com/1161297 SUSE Bug 1161297 https://bugzilla.suse.com/1164675 SUSE Bug 1164675 https://bugzilla.suse.com/1169215 SUSE Bug 1169215 https://www.suse.com/security/cve/CVE-2009-4112/ SUSE CVE CVE-2009-4112 page https://www.suse.com/security/cve/CVE-2018-20723/ SUSE CVE CVE-2018-20723 page https://www.suse.com/security/cve/CVE-2018-20724/ SUSE CVE CVE-2018-20724 page https://www.suse.com/security/cve/CVE-2018-20725/ SUSE CVE CVE-2018-20725 page https://www.suse.com/security/cve/CVE-2018-20726/ SUSE CVE CVE-2018-20726 page https://www.suse.com/security/cve/CVE-2019-16723/ SUSE CVE CVE-2019-16723 page https://www.suse.com/security/cve/CVE-2019-17357/ SUSE CVE CVE-2019-17357 page https://www.suse.com/security/cve/CVE-2019-17358/ SUSE CVE CVE-2019-17358 page https://www.suse.com/security/cve/CVE-2020-7106/ SUSE CVE CVE-2020-7106 page https://www.suse.com/security/cve/CVE-2020-7237/ SUSE CVE CVE-2020-7237 page https://www.suse.com/security/cve/CVE-2020-8813/ SUSE CVE CVE-2020-8813 page SUSE Package Hub 15 SP1 cacti-1.2.11-bp151.4.6.1 cacti-spine-1.2.11-bp151.4.6.1 cacti-1.2.11-bp151.4.6.1 as a component of SUSE Package Hub 15 SP1 cacti-spine-1.2.11-bp151.4.6.1 as a component of SUSE Package Hub 15 SP1 Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands. CVE-2009-4112 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 important 9 AV:N/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2009-4112.html CVE-2009-4112 https://bugzilla.suse.com/1122535 SUSE Bug 1122535 https://bugzilla.suse.com/558664 SUSE Bug 558664 A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color. CVE-2018-20723 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2018-20723.html CVE-2018-20723 https://bugzilla.suse.com/1122245 SUSE Bug 1122245 A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors. CVE-2018-20724 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2018-20724.html CVE-2018-20724 https://bugzilla.suse.com/1122244 SUSE Bug 1122244 A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label. CVE-2018-20725 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2018-20725.html CVE-2018-20725 https://bugzilla.suse.com/1122243 SUSE Bug 1122243 A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices. CVE-2018-20726 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2018-20726.html CVE-2018-20726 https://bugzilla.suse.com/1122242 SUSE Bug 1122242 In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. CVE-2019-16723 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2019-16723.html CVE-2019-16723 https://bugzilla.suse.com/1151788 SUSE Bug 1151788 https://bugzilla.suse.com/1214170 SUSE Bug 1214170 Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, or an unauthenticated remote attacker could exploit this via Cross-Site Request Forgery. CVE-2019-17357 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 important 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2019-17357.html CVE-2019-17357 https://bugzilla.suse.com/1158990 SUSE Bug 1158990 Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module. CVE-2019-17358 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 moderate 5.5 AV:N/AC:L/Au:S/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2019-17358.html CVE-2019-17358 https://bugzilla.suse.com/1158992 SUSE Bug 1158992 Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). CVE-2020-7106 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2020-7106.html CVE-2020-7106 https://bugzilla.suse.com/1163749 SUSE Bug 1163749 Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product. CVE-2020-7237 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 important 9 AV:N/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2020-7237.html CVE-2020-7237 https://bugzilla.suse.com/1161297 SUSE Bug 1161297 graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. CVE-2020-8813 SUSE Package Hub 15 SP1:cacti-1.2.11-bp151.4.6.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.11-bp151.4.6.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZCYZNXPQBT3RNEEVMDXCIG76SLTOPTF5/ https://www.suse.com/security/cve/CVE-2020-8813.html CVE-2020-8813 https://bugzilla.suse.com/1154087 SUSE Bug 1154087 https://bugzilla.suse.com/1160867 SUSE Bug 1160867 https://bugzilla.suse.com/1164675 SUSE Bug 1164675