Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.
The rfilter parameter passed in the HTTP request was directly concatenated into the SQL query in the RLIKE clause without any validation or parameterization (CWE-89). The endpoint responsible for viewing graphs supports guest access through a configured guest account, which means that an unauthenticated attacker can send a crafted request to an installation with guest viewing enabled. This allows execution of arbitrary SQL queries in the context of the application database.
An attacker without any authentication can gain unauthorized access to sensitive data stored in the database, modify it or destroy it, and depending on the database server configuration, potentially escalate access to the operating system.
Cacti should be updated to version 1.2.31, in which the issue has been fixed. Until the update is applied, it is recommended to disable the guest access to graphs functionality (guest viewing) in the application configuration.
Cacti in versions 1.2.30 and earlier with guest viewing functionality enabled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCacti
APPCacti< 1.2.31
Related vulnerabilities
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault manag...
Cacti: Pre-auth SQL injection przez parametr rfilter (SQLi)
SQL Injection przed uwierzytelnieniem w Cacti (graph_view.php)
Niezautoryzowany path traversal i command injection w Cacti (LFI)
Cacti: Command Injection przez malformowane OID w parserze SNMP