CVE-2024-29895

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
Configurations

No configuration.

History

21 Nov 2024, 09:08

Type Values Removed Values Added
References () https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119 - () https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119 -
References () https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d - () https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d -
References () https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc - () https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc -
References () https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m - () https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m -
Summary
  • (es) Cacti proporciona un framework de monitoreo operativo y gestión de fallas. Una vulnerabilidad de inyección de comandos en la rama DEV 1.3.x permite que cualquier usuario no autenticado ejecute comandos arbitrarios en el servidor cuando la opción `register_argc_argv` de PHP está `activada`. En la línea 119 de `cmd_realtime.php`, el `$poller_id` usado como parte de la ejecución del comando proviene de `$_SERVER['argv']`, que puede controlarse mediante URL cuando la opción `register_argc_argv` de PHP está activada. `. Y esta opción está "activada" de forma predeterminada en muchos entornos, como la imagen principal de PHP Docker para PHP. el commit 53e8014d1f082034e0646edc6286cde3800c683d contiene un parche para el problema, pero este commit se revirtió en el commit 99633903cad0de5ace636249de16f77e57a3c8fc.

14 May 2024, 15:17

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-14 15:17

Updated : 2024-11-21 09:08


NVD link : CVE-2024-29895

Mitre link : CVE-2024-29895

CVE.ORG link : CVE-2024-29895


JSON object : View

Products Affected

No product.

CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')