Bug 542985 (CVE-2009-4112)
Summary: | CVE-2009-4112 Cacti: Privilege escalation under certain conditions | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | mmcgrath |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-29 08:11:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2009-12-01 11:54:09 UTC
what version of nc has a valid -e? (In reply to comment #1) > what version of nc has a valid -e? Some Debian version, or nmap's netcat implementation - ncat. However, I'm closing this bug. It is expected that cacti administrator is able to define new Data Input Methods that can be either SNMP query or command that is run with privileges of cacti user. So this "flaw" does not bypass any intended restriction. It seems upstream has no intention to add additional restrictions on Data Input Methods commands in the maintenance releases for current cacti version. |