Fluid Attacks Database

Description

data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	cacti	=1.2.16+ds1-2 \|\| =1.2.16+ds1-2+deb11u1 \|\| =1.2.16+ds1-2+deb11u2 \|\| =1.2.16+ds1-2+deb11u3 \|\| =1.2.16+ds1-2+deb11u4 \|\| =1.2.16+ds1-2+deb11u5 \|\| =1.2.19+ds1-1 \|\| =1.2.19+ds1-2 \|\| =1.2.20+ds1-1 \|\| =1.2.20+ds1-2 \|\| =1.2.21+ds1-1 \|\| =1.2.22+ds1-1 \|\| =1.2.22+ds1-2 \|\| =1.2.22+ds1-3 \|\| =1.2.23+ds1-1 \|\| =1.2.23+ds1-2 \|\| =1.2.24+ds1-1 \|\| =1.2.25+ds1-1 \|\| =1.2.25+ds1-2 \|\| =1.2.26+ds1-1 \|\| =1.2.27+ds1-1 \|\| =1.2.27+ds1-2 \|\| =1.2.28+ds1-1 \|\| =1.2.28+ds1-2 \|\| =1.2.28+ds1-3 \|\| =1.2.28+ds1-4 \|\| =1.2.30+ds1-1 \|\| =1.2.30+ds1-2 \|\| =1.2.30+ds1-3
debian 13	cacti	=1.2.30+ds1-1 \|\| =1.2.30+ds1-2 \|\| =1.2.30+ds1-3
debian 12	cacti	=1.2.24+ds1-1 \|\| =1.2.24+ds1-1+deb12u1 \|\| =1.2.24+ds1-1+deb12u2 \|\| =1.2.24+ds1-1+deb12u3 \|\| =1.2.24+ds1-1+deb12u4 \|\| =1.2.24+ds1-1+deb12u5 \|\| =1.2.25+ds1-1 \|\| =1.2.25+ds1-2 \|\| =1.2.26+ds1-1 \|\| =1.2.27+ds1-1 \|\| =1.2.27+ds1-2 \|\| =1.2.28+ds1-1 \|\| =1.2.28+ds1-2 \|\| =1.2.28+ds1-3 \|\| =1.2.28+ds1-4 \|\| =1.2.30+ds1-1 \|\| =1.2.30+ds1-2 \|\| =1.2.30+ds1-3
debian 14	cacti	=1.2.30+ds1-1 \|\| =1.2.30+ds1-2 \|\| =1.2.30+ds1-3

Aliases

1. CVE-2020-70582. NVD-2020-70583. OSV-DEBIAN-2020-70584. OSV-2020-70585. SECURITY-TRACKER-CVE-2020-7058

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.