Candidate: CVE-2019-16723
PublicDate: 2019-09-23 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16723
 https://github.com/Cacti/cacti/issues/2964
Description:
 In Cacti through 1.2.6, authenticated users may bypass authorization checks
 (for viewing a graph) via a direct graph_json.php request with a modified
 local_graph_id parameter.
Ubuntu-Description:
Notes:
 ccdm94> 7a6a17252a1 and c7cf4a26e48 were the original fixes proposed for this
   CVE, however, they were reverted by cfb0733597a, which introduced a new 
   fix. This new fix, however, was considered incomplete, so 9a1d2ec46d2,
   d5f98679a06 and 4cecb19f6be were issued as follow up patches.
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N [4.3 MEDIUM]


Patches_cacti:
 upstream: https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b
 upstream: https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43ee7
 upstream: https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f7f7
 upstream: https://github.com/Cacti/cacti/commit/4cecb19f6be8b84fa1c7b6450b66176007cb53df
upstream_cacti: released (1.2.7)
precise/esm_cacti: DNE
trusty_cacti: ignored (out of standard support)
trusty/esm_cacti: DNE (trusty was not-affected [code not present])
xenial_cacti: ignored (end of standard support, was not-affected [code not present])
bionic_cacti: needed
disco_cacti: ignored (reached end-of-life)
eoan_cacti: ignored (reached end-of-life)
focal_cacti: not-affected (1.2.10+ds1-1ubuntu1)
groovy_cacti: ignored (reached end-of-life)
hirsute_cacti: not-affected (1.2.16+ds1-2ubuntu1)
impish_cacti: not-affected (1.2.16+ds1-2ubuntu1)
jammy_cacti: not-affected (1.2.16+ds1-2ubuntu1)
devel_cacti: not-affected (1.2.16+ds1-2ubuntu1)