Debian Security Advisory DSA 4604-1 (cacti - security update)

The remote host is missing an update for the 'cacti' package(s) announced via the DSA-4604-1 advisory.

Multiple issues have been found in cacti, a server monitoring system, potentially resulting in SQL code execution or information disclosure by authenticated users. CVE-2019-16723 Authenticated users may bypass authorization checks for viewing a graph by submitting requests with modified local_graph_id parameters. CVE-2019-17357 The graph administration interface insufficiently sanitizes the template_id parameter, potentially resulting in SQL injection. This vulnerability might be leveraged by authenticated attackers to perform unauthorized SQL code execution on the database. CVE-2019-17358 The sanitize_unserialize_selected_items function (lib/functions.php) insufficiently sanitizes user input before deserializing it, potentially resulting in unsafe deserialization of user-controlled data. This vulnerability might be leveraged by authenticated attackers to influence the program control flow or cause memory corruption.

'cacti' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For the oldstable distribution (stretch), these problems have been fixed in version 0.8.8h+ds1-10+deb9u1. Note that stretch was only affected by CVE-2018-17358. For the stable distribution (buster), these problems have been fixed in version 1.2.2+ds1-2+deb10u2. We recommend that you upgrade your cacti packages.