thr3ads.net - Secure testing team - [Secure-testing-team] Bug#561339: CVE-2009-4112: arbitrary command execution [Dec 2009]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Steffen Joeris

2009-Dec-16 11:40 UTC

[Secure-testing-team] Bug#561339: CVE-2009-4112: arbitrary command execution

Package: cacti
Severity: grave
Tags: security

Hi Sean

the following CVE (Common Vulnerabilities & Exposures) id was
published for cacti.

CVE-2009-4112[0]:
| Cacti 0.8.7e and earlier allows remote authenticated administrators to
| gain privileges by modifying the "Data Input Method" for the
"Linux -
| Get Memory Usage" setting to contain arbitrary commands.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

As discussed with upstream, please make sure that there is a whitelist
policy in place for squeeze.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4112
    http://security-tracker.debian.org/tracker/CVE-2009-4112

Secure testing team - Dec 2009 - Bug#561339: CVE-2009-4112: arbitrary command execution

[Secure-testing-team] Bug#561339: CVE-2009-4112: arbitrary command execution