cacti is vulnerable to command injection. Authorization can be bypassed due to the implementation of the get_client_addr
function. The function is defined in the file lib/functions.php
and checks serval $_SERVER
variables to determine the IP address of the client which allows an attacker to set arbitrarily variables beginning with HTTP_
.
github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216
github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9
github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b
github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
security-tracker.debian.org/tracker/CVE-2022-46169