ALAS-2024-1915

Amazon Linux 1 (EOL) Security Advisory: ALAS-2024-1915
Advisory Released Date: 2024-02-05
Advisory Updated Date: 2024-02-05

Severity: Important

References: CVE-2023-51448
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `'managers.php'`. An authenticated attacker with the "Settings/Utilities" permission can send a crafted HTTP GET request to the endpoint `'/cacti/managers.php'` with an SQLi payload in the `'selected_graphs_array'` HTTP GET parameter. As of time of publication, no patched versions exist. (CVE-2023-51448)

Affected Packages:

cacti

Issue Correction:
Run yum update cacti to update your system.

New Packages:

noarch:
    cacti-1.1.19-6.24.amzn1.noarch

src:
    cacti-1.1.19-6.24.amzn1.src

Additional References

Red Hat: CVE-2023-51448

Mitre: CVE-2023-51448