CVE-2014-2709 - lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary comman

CVE-2014-2709

Summary

lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. Per: https://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"

References

Vulnerable Configurations

cpe:2.3:a:cacti:cacti:0.8.7:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7a:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7a:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7b:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7b:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7c:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7c:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7d:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7d:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7e:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7e:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7f:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7f:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7g:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.7g:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.8:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.8:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.8a:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.8a:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.8b:*:*:*:*:*:*:*
cpe:2.3:a:cacti:cacti:0.8.8b:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 13-12-2018 - 18:22)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	66630
confirm	http://svn.cacti.net/viewvc?view=rev&revision=7439 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
debian	DSA-2970
fedora	FEDORA-2014-4892 FEDORA-2014-4928
gentoo	GLSA-201509-03
mlist	[oss-security] 20140403 Re: CVE request: cacti "bug#0002405: SQL injection in graph_xport.php"
secunia	57647 59203

Last major update

13-12-2018 - 18:22

Published

23-04-2014 - 15:55

Last modified

13-12-2018 - 18:22