CVE-2024-45598

Exploit

EPSS 0.16%
Published 27.01.2025 16:15:31
Last modified 04.03.2025 14:45:17
Source security-advisories@github.com
Teams watchlist Login
Open Login

Cacti is an open source performance and fault management framework. Prior to 1.2.29, an administrator can change the `Poller Standard Error Log Path` parameter in either Installation Step 5 or in Configuration->Settings->Paths tab to a local file inside the server. Then simply going to Logs tab and selecting the name of the local file will show its content on the web UI. This vulnerability is fixed in 1.2.29.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Cacti ≫ Cacti Version < 1.2.29

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.16%	0.371

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	6	1.2	4.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/Cacti/cacti/commit/eca52c6bb3e76c55d66b1040baa6dbf37471a0ae

Patch

https://github.com/Cacti/cacti/security/advisories/GHSA-pv2c-97pp-vxwg

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-45598

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45598

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45598

EUVD