Vulnerability CVE-2014-2327

Vulnerability Name:

CVE-2014-2327 (CCN-92065)

Assigned:

2014-03-24

Published:

2014-03-24

Updated:

2018-12-13

Summary:

Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.1 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-352

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2014-2327

Source: CCN
Type: Cacti Web site
Cacti

Source: CCN
Type: JVN#55076671
Cacti vulnerable to cross-site request forgery

Source: JVN
Type: Third Party Advisory, VDB Entry
JVN#55076671

Source: JVNDB
Type: Third Party Advisory, VDB Entry
JVNDB-2014-002239

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2015:0479

Source: CCN
Type: Bugtraq Mailing List, Mon Mar 24 2014
Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti

Source: SECUNIA
Type: Third Party Advisory
59203

Source: DEBIAN
Type: Third Party Advisory
DSA-2970

Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20140324 Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti

Source: BID
Type: Third Party Advisory, VDB Entry
66392

Source: CCN
Type: BID-66392
Cacti CVE-2014-2327 Cross Site Request Forgery Vulnerability

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768

Source: XF
Type: UNKNOWN
cacti-cve20142327-csrf(92065)

Source: GENTOO
Type: Third Party Advisory
GLSA-201509-03

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-2327

Vulnerable Configuration:

Configuration 1:

cpe:/a:cacti:cacti:*:*:*:*:*:*:*:* (Version >= 0.8.7 and <= 0.8.7g)

OR cpe:/a:cacti:cacti:*:*:*:*:*:*:*:* (Version >= 0.8.8 and <= 0.8.8b)

Configuration 2:

cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:cacti:cacti:0.8.7g:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20142327	V	CVE-2014-2327	2022-06-30
oval:org.opensuse.security:def:112038	P	cacti-0.8.8h-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105593	P	cacti-0.8.8h-1.2 on GA media (Moderate)	2021-10-01
oval:org.mitre.oval:def:25061	P	DSA-2970-1 cacti - security update	2014-08-11
oval:com.ubuntu.precise:def:20142327000	V	CVE-2014-2327 on Ubuntu 12.04 LTS (precise) - medium.	2014-04-23
oval:com.ubuntu.trusty:def:20142327000	V	CVE-2014-2327 on Ubuntu 14.04 LTS (trusty) - medium.	2014-04-23
oval:com.ubuntu.xenial:def:201423270000000	V	CVE-2014-2327 on Ubuntu 16.04 LTS (xenial) - medium.	2014-04-23
oval:com.ubuntu.xenial:def:20142327000	V	CVE-2014-2327 on Ubuntu 16.04 LTS (xenial) - medium.	2014-04-23

BACK