It was reported [1] that upstream fixed incomplete and incorrect input parsing, that leads to remote code execution and SQL injection attack scenarios. [2] [1]: http://seclists.org/oss-sec/2014/q3/351 [2]: http://svn.cacti.net/viewvc?view=rev&revision=7454 CVE has not yet been assigned (request is in [1]).
Created cacti tracking bugs for this issue: Affects: fedora-all [bug 1129763] Affects: epel-all [bug 1129764]
Acknowledgements: Red Hat would like to thank Mischa Salle and Wilco Baan Hofman of Nikhef for reporting this issue.
MITRE assigned CVE-2014-5261 to the shell metacharacters issue, and CVE-2014-5262 to the SQL injection: http://seclists.org/oss-sec/2014/q3/386
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.