[Japanese]

JVNDB-2015-000064

Cacti vulnerable to SQL injection

Overview

Cacti is a web application that graphs stored data collected from network devices. Cacti contains a SQL injection vulnerability due to a flaw in processing user input values for 'local_graph_id' in graph.php.

Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


The Cacti Group
  • Cacti 0.8.6e and earlier

Impact

Arbitrary SQL queries may be injected in the back-end database by a remote authenticated attacker.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.

According to the developer, this issue was addressed in 0.8.6f released in 2005.
Vendor Information

The Cacti Group
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-0916
References

  1. JVN : JVN#18957556
  2. National Vulnerability Database (NVD) : CVE-2015-0916
Revision History

[2015/05/14]
  Web page was published
[2015/05/25]
  Vendor Information : Content was added
  References : Content was added