CVE-2019-17358 — cacti - security update

Description

Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.

How to fix CVE-2019-17358

To remediate CVE-2019-17358, upgrade the affected package to a fixed version below.

—upgrade to 1.2.8+ds1-1 or later
—upgrade to 0.8.8b+dfsg-8+deb8u8 or later
—upgrade to 0.8.8h+ds1-10+deb9u1 or later

Is CVE-2019-17358 being exploited?

Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1.2.8+ds1-1
from 0, < 0.8.8b+dfsg-8+deb8u8
from 0, < 0.8.8h+ds1-10+deb9u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-17358