Bug 2280498 (CVE-2024-31458, CVE-2024-31459, CVE-2024-31460)

Summary: CVE-2024-31458 CVE-2024-31459 CVE-2024-31460 cacti: multiple vulnerabilities
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cacti 1.2.27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2280499, 2280500    
Bug Blocks:    

Description Robb Gatica 2024-05-15 00:21:06 UTC 
CVE-2024-31458:
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue.

https://github.com/Cacti/cacti/security/advisories/GHSA-jrxg-8wh8-943x

---
CVE-2024-31459:
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.

https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp

---
CVE-2024-31460:
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()`  function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue.

https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
Comment 1 Robb Gatica 2024-05-15 00:21:21 UTC 
Created cacti tracking bugs for this issue:

Affects: epel-all [bug 2280499]
Affects: fedora-all [bug 2280500]