{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-43363","title":"Title"},{"category":"description","text":"Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-43363","url":"https://www.suse.com/security/cve/CVE-2024-43363"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1231370 for CVE-2024-43363","url":"https://bugzilla.suse.com/1231370"}],"title":"SUSE CVE CVE-2024-43363","tracking":{"current_release_date":"2026-01-31T00:41:25Z","generator":{"date":"2024-10-09T02:55:24Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-43363","initial_release_date":"2024-10-09T02:55:24Z","revision_history":[{"date":"2024-10-09T02:55:24Z","number":"2","summary":"Current version"},{"date":"2025-01-01T00:47:58Z","number":"3","summary":"Current version"},{"date":"2025-02-14T04:37:37Z","number":"4","summary":"Current version"},{"date":"2025-02-16T04:29:40Z","number":"5","summary":"Current version"},{"date":"2026-01-31T00:41:25Z","number":"6","summary":"vulnerabilities added"}],"status":"interim","version":"6"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Package Hub 15 SP6","product":{"name":"SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6"}},{"category":"product_name","name":"openSUSE Leap 15.6","product":{"name":"openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.6"}}},{"category":"product_version","name":"cacti-1.2.30-bp156.2.6.1","product":{"name":"cacti-1.2.30-bp156.2.6.1","product_id":"cacti-1.2.30-bp156.2.6.1","product_identification_helper":{"cpe":"cpe:2.3:a:cacti:cacti:1.2.30:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/cacti@1.2.30-bp156.2.6.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"cacti-1.2.30-bp156.2.6.1 as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:cacti-1.2.30-bp156.2.6.1"},"product_reference":"cacti-1.2.30-bp156.2.6.1","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"cacti-1.2.30-bp156.2.6.1 as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:cacti-1.2.30-bp156.2.6.1"},"product_reference":"cacti-1.2.30-bp156.2.6.1","relates_to_product_reference":"openSUSE Leap 15.6"}]},"vulnerabilities":[{"cve":"CVE-2024-43363","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-43363"}],"notes":[{"category":"general","text":"Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.","title":"CVE description"}],"product_status":{"recommended":["SUSE Package Hub 15 SP6:cacti-1.2.30-bp156.2.6.1","openSUSE Leap 15.6:cacti-1.2.30-bp156.2.6.1"]},"references":[{"category":"external","summary":"CVE-2024-43363","url":"https://www.suse.com/security/cve/CVE-2024-43363"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1231370 for CVE-2024-43363","url":"https://bugzilla.suse.com/1231370"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Package Hub 15 SP6:cacti-1.2.30-bp156.2.6.1","openSUSE Leap 15.6:cacti-1.2.30-bp156.2.6.1"]}],"scores":[{"cvss_v3":{"baseScore":7.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Package Hub 15 SP6:cacti-1.2.30-bp156.2.6.1","openSUSE Leap 15.6:cacti-1.2.30-bp156.2.6.1"]}],"threats":[{"category":"impact","date":"2024-10-07T22:00:48Z","details":"important"}],"title":"CVE-2024-43363"}]}