Summary: | <net-analyzer/cacti-1.2.10 - When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | netmon |
Priority: | Normal | Flags: | nattka:
sanity-check-
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/Cacti/cacti/issues/3285 | ||
Whiteboard: | C1 [glsa+ cve] | ||
Package list: |
=net-analyzer/cacti-1.2.10
=net-analyzer/cacti-spine-1.2.10
|
Runtime testing required: | --- |
Description
Jeroen Roovers (RETIRED)
2020-03-28 14:27:26 UTC
From URL:
>This is a low risk exploit as the default Cacti configuration is set such that the Guest account is disabled, the Guest account has no access to realtime graphs under permissions and the guest template user is not set.
So going for C1. Thanks for moving quickly to stabilise!
sparc stable hppa stable amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. Unable to check for sanity:
> no match for package: =net-analyzer/cacti-1.2.10
This issue was resolved and addressed in GLSA 202004-16 at https://security.gentoo.org/glsa/202004-16 by GLSA coordinator Thomas Deutschmann (whissi). |