[Secure-testing-team] Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request
Salvatore Bonaccorso
carnil at debian.org
Tue Nov 7 21:17:47 UTC 2017
Source: cacti
Version: 1.1.27+ds1-2
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/Cacti/cacti/issues/1057
Hi,
the following vulnerability was published for cacti.
CVE-2017-16641[0]:
| lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators
| to execute arbitrary OS commands via the path_rrdtool parameter in an
| action=save request to settings.php.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16641
[1] https://github.com/Cacti/cacti/issues/1057
Please adjust the affected versions in the BTS as needed, only did
check unstable's version for now source-wise.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list