SB2016030401 - SQL injection in cacti (Alpine package)
Published: March 4, 2016 Updated: May 19, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) SQL injection (CVE-ID: CVE-2015-8604)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the cg_g parameter in a save action. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=6c80b2936408ee03f85d824010c7cb7a789074a3
- https://git.alpinelinux.org/aports/commit/?id=81eb7e3b062d62dff1b82864cdd42732b50f4a9c
- https://git.alpinelinux.org/aports/commit/?id=847dfa07b7e3f4b82db2bad3a053a5976e5ee07f
- https://git.alpinelinux.org/aports/commit/?id=4351d84d02c27d6ce0d5dd5be73b718d7876a6f7
- https://git.alpinelinux.org/aports/commit/?id=43f38ad334e6dbd364c7de66c2208f10692095a4