blob: c9d53ae8592b1f30f95bc460b74a68781e00eb7a [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200712-02">
<title>Cacti: SQL injection</title>
An SQL injection vulnerability has been discovered in Cacti.
<product type="ebuild">cacti</product>
<announced>December 05, 2007</announced>
<revised>December 05, 2007: 02</revised>
<package name="net-analyzer/cacti" auto="yes" arch="*">
<unaffected range="rge">0.8.6j-r7</unaffected>
<unaffected range="ge">0.8.7a</unaffected>
<vulnerable range="lt">0.8.7a</vulnerable>
Cacti is a complete web-based frontend to rrdtool.
It has been reported that the "local_graph_id" variable used in the
file graph.php is not properly sanitized before being processed in an
SQL statement.
<impact type="normal">
A remote attacker could send a specially crafted request to the
vulnerable host, possibly resulting in the execution of arbitrary SQL
There is no known workaround at this time.
All Cacti users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-analyzer/cacti-0.8.6j-r7&quot;</code>
<uri link="">CVE-2007-6035</uri>
<metadata tag="requester" timestamp="Sun, 02 Dec 2007 22:34:20 +0000">
<metadata tag="bugReady" timestamp="Sun, 02 Dec 2007 22:34:29 +0000">
<metadata tag="submitter" timestamp="Tue, 04 Dec 2007 22:01:32 +0000">