Sign-up

ID

VAR-201506-0385


CVE

CVE-2015-4342


TITLE

Cacti In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-003192

DESCRIPTION

SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id. Cacti is an open source network traffic monitoring and analysis tool from Cacti Group. The tool uses snmpget to get data, RRDtool to draw graphics for analysis, and provides data and user management capabilities. Cacti is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3295-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 24, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cacti CVE ID : CVE-2015-2665 CVE-2015-4342 CVE-2015-4454 Several vulnerabilities (cross-site scripting and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems. For the oldstable distribution (wheezy), these problems have been fixed in version 0.8.8a+dfsg-5+deb7u5. For the stable distribution (jessie), these problems have been fixed in version 0.8.8b+dfsg-8+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 0.8.8d+ds1-1. We recommend that you upgrade your cacti packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVivszAAoJEAVMuPMTQ89Eq+sP/2jqe/IKVQwUxnJEY1w6hCRY S5kVRgGIW+e6WZnuIqTXWcELC+XhmOWv1F2McC7SJXclV7eMIlae/JwKb47XFVAX 1Nw1NlK+LZlbm23pqTv0ao8a0REhqkhMMENs/Ss1P2QFHxSCAqcoyXQ2wvTLwfXR 8Bm1qV12pHDd0TZG5gInNVncWL13sFIs8Fx0+psLyFa3yh2u5nbylVM2XNa3XTOn YtG4OnWkBrinpXtJ9S3XfF3JTUgMv0WLoK0ZD105GKJnxDWwsalDgFqkInGoYX6R oA/USy1LgX98s19tRKYhgadyl4FcUF62SR6arhPkLQdH3RX8uuZEs8/ozY6u4WSp 24Fsq4x+4M+9tUwNVwOgZ6+pCPkul3tSTfnxE7uao09JCQmD6QuEqbuJObEexnqz xm4JU3d0nXhLl7CGXdgMr4Cs4B+zRW/yCXyBQkbq72BhBPQE/70c1ze+sIdpCJI8 a3seNpa40kvEUQfxin7+itkfJhz2g1beRUsHclSTz8YrBD3iz79hnhlzJPte5H4z WDBXrNkxKnBQMTkhaTufT+NdnlkcxFPbr6HEW70Px/WNPsSca469NGyHy+u9QZM/ oM78VdKjP4AGKzBBY4HYplkbhRAgfF67Wdg0M5GZ8VRuh0knbogeau+srUTj16BO ZUkO3AskyvyalG1tCSsy =OST/ -----END PGP SIGNATURE-----

Trust: 2.52

sources: NVD: CVE-2015-4342 // JVNDB: JVNDB-2015-003192 // CNVD: CNVD-2015-03938 // BID: 75108 // PACKETSTORM: 132429

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-03938

AFFECTED PRODUCTS

vendor:fedoraprojectmodel:fedorascope:eqversion:23

Trust: 1.6

vendor:fedoraprojectmodel:fedorascope:eqversion:24

Trust: 1.6

vendor:fedoraprojectmodel:fedorascope:eqversion:22

Trust: 1.6

vendor:cactimodel:cactiscope:lteversion:0.8.8c

Trust: 1.0

vendor:the cacti groupmodel:cactiscope:ltversion:0.8.8d

Trust: 0.8

vendor:cactimodel:<0.8.8dscope: - version: -

Trust: 0.6

vendor:planetmodel:technology wsw-2401 hscope:eqversion:0.8.6

Trust: 0.3

vendor:planetmodel:technology wsw-2401 gscope:eqversion:0.8.6

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:cactimodel:cactiscope:eqversion:0.8.7

Trust: 0.3

vendor:cactimodel:fscope:eqversion:0.8.6

Trust: 0.3

vendor:cactimodel:cscope:eqversion:0.8.6

Trust: 0.3

vendor:cactimodel:ascope:eqversion:0.8.5

Trust: 0.3

vendor:cactimodel:cactiscope:eqversion:0.8.5

Trust: 0.3

vendor:cactimodel:cactiscope:eqversion:0.8.4

Trust: 0.3

vendor:cactimodel:ascope:eqversion:0.8.3

Trust: 0.3

vendor:cactimodel:cactiscope:eqversion:0.8.3

Trust: 0.3

vendor:cactimodel:ascope:eqversion:0.8.2

Trust: 0.3

vendor:cactimodel:cactiscope:eqversion:0.8.2

Trust: 0.3

vendor:cactimodel:cactiscope:eqversion:0.8.1

Trust: 0.3

vendor:cactimodel:cactiscope:eqversion:0.8

Trust: 0.3

vendor:cactimodel:cactiscope:eqversion:0.6.7

Trust: 0.3

vendor:cactimodel:0.8.7iscope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.7hscope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.7gscope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.7fscope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.7escope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.7dscope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.7cscope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.7bscope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.7ascope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.6kscope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.6jscope: - version: -

Trust: 0.3

vendor:cactimodel:0.8.6iscope: - version: -

Trust: 0.3

sources: CNVD: CNVD-2015-03938 // BID: 75108 // JVNDB: JVNDB-2015-003192 // CNNVD: CNNVD-201506-324 // NVD: CVE-2015-4342

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-4342
value: HIGH

Trust: 1.0

NVD: CVE-2015-4342
value: HIGH

Trust: 0.8

CNVD: CNVD-2015-03938
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201506-324
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2015-4342
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-03938
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2015-03938 // JVNDB: JVNDB-2015-003192 // CNNVD: CNNVD-201506-324 // NVD: CVE-2015-4342

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2015-003192 // NVD: CVE-2015-4342

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 132224 // CNNVD: CNNVD-201506-324

TYPE

sql injection

Trust: 0.7

sources: PACKETSTORM: 132224 // CNNVD: CNNVD-201506-324

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-003192

PATCH
title:Release Notes - 0.8.8durl:http://www.cacti.net/release_notes_0_8_8d.php
Trust: 0.8
title:Bug Reportingurl:http://bugs.cacti.net/main_page.php
Trust: 0.8
title:Patch for Cacti SQL Injection Vulnerability (CNVD-2015-03938)url:https://www.cnvd.org.cn/patchInfo/show/59936
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-03938 // 
            
            
            
            JVNDB: JVNDB-2015-003192

EXTERNAL IDS
db:NVDid:CVE-2015-4342
Trust: 3.5
db:PACKETSTORMid:132224
Trust: 3.1
db:BIDid:75108
Trust: 1.9
db:SECTRACKid:1032672
Trust: 1.0
db:JVNDBid:JVNDB-2015-003192
Trust: 0.8
db:CNVDid:CNVD-2015-03938
Trust: 0.6
db:CNNVDid:CNNVD-201506-324
Trust: 0.6
db:PACKETSTORMid:132429
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-03938 // 
            
            
            
            BID: 75108 // 
            
            
            
            JVNDB: JVNDB-2015-003192 // 
            
            
            
            PACKETSTORM: 132224 // 
            
            
            
            PACKETSTORM: 132429 // 
            
            
            
            CNNVD: CNNVD-201506-324 // 
            
            
            
            NVD: CVE-2015-4342

REFERENCES
url:http://packetstormsecurity.com/files/132224/cacti-sql-injection-header-injection.html
Trust: 3.0
url:http://seclists.org/fulldisclosure/2015/jun/19
Trust: 1.9
url:http://www.cacti.net/release_notes_0_8_8d.php
Trust: 1.9
url:http://bugs.cacti.net/view.php?id=2571
Trust: 1.7
url:http://lists.opensuse.org/opensuse-updates/2015-06/msg00052.html
Trust: 1.0
url:http://www.debian.org/security/2015/dsa-3295
Trust: 1.0
url:http://www.securitytracker.com/id/1032672
Trust: 1.0
url:http://lists.fedoraproject.org/pipermail/package-announce/2016-may/183919.html
Trust: 1.0
url:http://lists.fedoraproject.org/pipermail/package-announce/2016-may/183449.html
Trust: 1.0
url:http://lists.fedoraproject.org/pipermail/package-announce/2016-may/183454.html
Trust: 1.0
url:https://bugzilla.suse.com/show_bug.cgi?id=934187
Trust: 1.0
url:http://www.securityfocus.com/bid/75108
Trust: 1.0
url:https://www.suse.com/security/cve/cve-2015-4342.html
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4342
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4342
Trust: 0.8
url:http://cacti.net/
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2015-4342
Trust: 0.2
url:http://bugs.cacti.net/view.php?id=2571#c6864
Trust: 0.1
url:http://www.dbappsecurity.com.cn/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-2665
Trust: 0.1
url:https://www.debian.org/security/faq
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-4454
Trust: 0.1
url:https://www.debian.org/security/
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-03938 // 
            
            
            
            BID: 75108 // 
            
            
            
            JVNDB: JVNDB-2015-003192 // 
            
            
            
            PACKETSTORM: 132224 // 
            
            
            
            PACKETSTORM: 132429 // 
            
            
            
            CNNVD: CNNVD-201506-324 // 
            
            
            
            NVD: CVE-2015-4342

CREDITS
unhex
Trust: 0.4
sources:
            
            
            BID: 75108 // 
            
            
            
            PACKETSTORM: 132224

SOURCES
db:CNVDid:CNVD-2015-03938
db:BIDid:75108
db:JVNDBid:JVNDB-2015-003192
db:PACKETSTORMid:132224
db:PACKETSTORMid:132429
db:CNNVDid:CNNVD-201506-324
db:NVDid:CVE-2015-4342

LAST UPDATE DATE
2024-11-23T21:55:11.845000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-03938date:2015-06-24T00:00:00
db:BIDid:75108date:2015-07-14T23:45:00
db:JVNDBid:JVNDB-2015-003192date:2015-06-19T00:00:00
db:CNNVDid:CNNVD-201506-324date:2015-06-18T00:00:00
db:NVDid:CVE-2015-4342date:2024-11-21T02:30:51.693

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-03938date:2015-06-24T00:00:00
db:BIDid:75108date:2015-06-09T00:00:00
db:JVNDBid:JVNDB-2015-003192date:2015-06-19T00:00:00
db:PACKETSTORMid:132224date:2015-06-09T17:22:22
db:PACKETSTORMid:132429date:2015-06-25T02:36:27
db:CNNVDid:CNNVD-201506-324date:2015-06-18T00:00:00
db:NVDid:CVE-2015-4342date:2015-06-17T18:59:07.407