Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when register_argc_argv
option of PHP is On
. In cmd_realtime.php
line 119, the $poller_id
used as part of the command execution is sourced from $_SERVER['argv']
, which can be controlled by URL when register_argc_argv
option of PHP is On
. And this option is On
by default in many environments such as the main PHP Docker image for PHP.
View the template here CVE-2024-29895.yaml
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-29895