Security Bulletin
Summary
Cacti is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the tree.php script using the parent_id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. A remote attacker could send specially-crafted SQL statements to the graph_view.php script, which could allow the attacker to view, add, modify or delete information in the back-end database.
Vulnerability Details
Relevant CVE Information:
CVE-ID: CVE-2016-3172
DESCRIPTION: Cacti is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the tree.php script using the parent_id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111681 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVE-ID: CVE-2016-3659
DESCRIPTION: Cacti is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the graph_view.php script, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111978 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
IBM Platform RTM 8.3, 9.1.x
Remediation/Fixes
Fixed in IBM Spectrum LSF RTM (formerly IBM Platform RTM) 10.1 to be released on IBM Passport Advantage
For RTM version 8.3.x, 9.1.x, IBM recommends upgrading to IBM Spectrum LSF RTM 10.1 which is available from IBM Passport Advantage
Workarounds and Mitigations
None
Upgrade to 10.1 on IBM Passport Advantage
Get Notified about Future Security Bulletins
References
Change History
17 June 2016: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
isg3T1017908