CyRC Vulnerability Advisory: CVE-2023-51448 Blind SQL Injection in SNMP Notification Receivers
CVE-2023-51448 overview
The Synopsys Cybersecurity Research Center (CyRC) has discovered CVE-2023-51448, a blind SQL injection (SQLi) vulnerability in Cacti.
Cacti is a performance and fault management framework written in PHP. It uses a variety of data collection methods to populate an RRDTool-based time series database (TSDB) with performance data, and offers a web user interface to view this performance data in graphs. Cacti is easily extensible for custom needs via its plugin system.
Due to insufficient sanitization when parsing the deserialized result of the ‘selected_graphs_array’ parameter, a crafted payload may trigger SQLi when the result is concatenated with a raw SQL query. Using a blind SQLi technique, an attacker can disclose Cacti database contents or trigger remote code execution (RCE).
CVE-2023-51448 exploitation
An attacker authenticated with any account that possesses the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint ‘/managers.php’ with an SQLi payload in the ‘selected_graphs_array’ HTTP GET parameter to trigger the vulnerability.
Affected software
Cacti version 1.2.25
Impact
Exploitation of this vulnerability would allow an attacker to disclose the entire contents of the Cacti database. It may also be escalated to RCE, as demonstrated with CVE-2023-49084.
CVSS Base Score: 8.3
CVSS 3.1 Vector: CVSS3.1/ AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
CVE-2023-51448 remediation
The vulnerability is patched as of commit 58a980f335980ab57659420053d89d4e721ae3fc on December 20, 2023.
CVE-2023-51448 discovery credit
This vulnerability was discovered by CyRC researcher Matthew Hogg.
Vulnerability discovery timeline
2023-09-18 – Vulnerability discovered.
2023-09-21 – Vendor notified.
2023-10-06 – Vendor accepted report.
2023-12-20 – Vulnerability published, and vendor fix released.
References
About CVSS
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.
*** This is a Security Bloggers Network syndicated blog from Software Security authored by Matthew Hogg. Read the original post at: https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-51448.html