SB2016080533 - SQL injection in cacti (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) SQL injection (CVE-ID: CVE-2016-3172)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the parent_id parameter in an item_edit action. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=8f1a7598918d8f399f40731e2b301bee9cc2f9fd
• https://git.alpinelinux.org/aports/commit/?id=a32d5ff12f834f60c89513108384ddd3526d086b
• https://git.alpinelinux.org/aports/commit/?id=3e80eb628ac006b7ba54ee2152bafab4fa497ef9