The Black Duck Cybersecurity Research Center (CyRC) has discovered CVE-2023-51448, a blind SQL injection (SQLi) vulnerability in Cacti.
Cacti is a performance and fault management framework written in PHP. It uses a variety of data collection methods to populate an RRDTool-based time series database (TSDB) with performance data, and offers a web user interface to view this performance data in graphs. Cacti is easily extensible for custom needs via its plugin system.
Due to insufficient sanitization when parsing the deserialized result of the ‘selected_graphs_array’ parameter, a crafted payload may trigger SQLi when the result is concatenated with a raw SQL query. Using a blind SQLi technique, an attacker can disclose Cacti database contents or trigger remote code execution (RCE).
An attacker authenticated with any account that possesses the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint ‘/managers.php’ with an SQLi payload in the ‘selected_graphs_array’ HTTP GET parameter to trigger the vulnerability.
Cacti version 1.2.25
Exploitation of this vulnerability would allow an attacker to disclose the entire contents of the Cacti database. It may also be escalated to RCE, as demonstrated with CVE-2023-49084.
CVSS Base Score: 8.3
CVSS 3.1 Vector: CVSS3.1/ AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
The vulnerability is patched as of commit 58a980f335980ab57659420053d89d4e721ae3fc on December 20, 2023.
This vulnerability was discovered by CyRC researcher Matthew Hogg.
2023-09-18 – Vulnerability discovered.
2023-09-21 – Vendor notified.
2023-10-06 – Vendor accepted report.
2023-12-20 – Vulnerability published, and vendor fix released.
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.