Candidate: CVE-2020-7237
PublicDate: 2020-01-20 05:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7237
 https://github.com/Cacti/cacti/issues/3201
Description:
 Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell
 metacharacters in the Performance Boost Debug Log field of
 poller_automation.php. OS commands are executed when a new poller cycle
 begins. The attacker must be authenticated, and must have access to modify
 the Performance Settings of the product.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_cacti:
 upstream: https://github.com/Cacti/cacti/commit/5010719dbd160198be3e07bb994cf237e3af1308
upstream_cacti: released (1.2.9)
precise/esm_cacti: DNE
trusty_cacti: ignored (out of standard support)
trusty/esm_cacti: DNE (trusty was needed)
xenial_cacti: ignored (end of standard support, was needed)
bionic_cacti: needed
disco_cacti: ignored (reached end-of-life)
eoan_cacti: ignored (reached end-of-life)
focal_cacti: not-affected (1.2.9+ds1-1ubuntu1)
groovy_cacti: not-affected (1.2.9+ds1-1ubuntu1)
hirsute_cacti: not-affected (1.2.9+ds1-1ubuntu1)
impish_cacti: not-affected (1.2.9+ds1-1ubuntu1)
jammy_cacti: not-affected (1.2.9+ds1-1ubuntu1)
devel_cacti: not-affected (1.2.9+ds1-1ubuntu1)