Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthenticated Command Injection #5119

Closed
netniV opened this issue Dec 31, 2022 · 8 comments
Closed

Unauthenticated Command Injection #5119

netniV opened this issue Dec 31, 2022 · 8 comments
Labels
bug Undesired behaviour unverified Some days we don't have a clue

Comments

@netniV
Copy link
Member

netniV commented Dec 31, 2022

Describe the bug

A bug exists where the proxy headers are incorrectly checked when not needed which can be used to bypass IP based security

Expected behavior

Cacti should only check the headers an admin defines as being set

@netniV netniV added bug Undesired behaviour unverified Some days we don't have a clue labels Dec 31, 2022
@netniV
Copy link
Member Author

netniV commented Dec 31, 2022

This was fixed as part of the security advisory GHSA-6p93-p743-35gf

@netniV netniV closed this as completed Dec 31, 2022
@netniV
Copy link
Member Author

netniV commented Jan 4, 2023

@paulgevers, @mortenstevens, If you aren't already aware, you should review this issue and take appropriate steps.

@paulgevers
Copy link
Contributor

@netniV thanks for the heads up. As I understand this issue, this is mostly for tracking purposes, and the actual fix is already available for a month right?

As can be seen in the Debian Security Tracker, this issue has been fixed in Debian in the supported suites.

Ubuntu is tracking it in bug 2001535.

@netniV
Copy link
Member Author

netniV commented Jan 4, 2023

That's good, nice to see our users actively passing the information on 👍

@netniV
Copy link
Member Author

netniV commented Jan 5, 2023

Thanks for updating us @mortenstevens! Haven't heard from you in a while, hope things are well!

@TheWitness
Copy link
Member

Thanks guys!

@mortenstevens
Copy link
Contributor

@netniV Thanks for asking. Everything is great, but I'm very busy with my company at the moment.

@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour unverified Some days we don't have a clue
Projects
None yet
Development

No branches or pull requests

4 participants