CVE-2019-17358

NameCVE-2019-17358
DescriptionCacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2032-1, DSA-4604-1
Debian Bugs947375

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)jessie, jessie (lts)0.8.8b+dfsg-8+deb8u10fixed
stretch (security), stretch (lts), stretch0.8.8h+ds1-10+deb9u2fixed
buster (security), buster, buster (lts)1.2.2+ds1-2+deb10u6fixed
bullseye1.2.16+ds1-2+deb11u3fixed
bullseye (security)1.2.16+ds1-2+deb11u4fixed
bookworm1.2.24+ds1-1+deb12u4fixed
bookworm (security)1.2.24+ds1-1+deb12u2fixed
sid, trixie1.2.28+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisourcewheezy(unfixed)end-of-life
cactisourcejessie0.8.8b+dfsg-8+deb8u8DLA-2032-1
cactisourcestretch0.8.8h+ds1-10+deb9u1DSA-4604-1
cactisourcebuster1.2.2+ds1-2+deb10u2DSA-4604-1
cactisource(unstable)1.2.8+ds1-1947375

Notes

https://github.com/Cacti/cacti/issues/3026
https://github.com/Cacti/cacti/commit/adf221344359f5b02b8aed43dfb6b33ae5d708c8

Search for package or bug name: Reporting problems