Bug 1169215 (CVE-2020-13230)

Summary: VUL-0: cacti: CVE-2020-13230,CVE-2020-13231: multiple vulnerabilities fixed and security hardening applied in 1.2.11
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: Andreas.Stieger, atoptsoglou, rfrohl, security-team
Version: Leap 15.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Field Engineer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2020-04-11 12:59:55 UTC 
From https://www.cacti.net/changelog.php

security#1566: Add SameSite support for cookies
https://github.com/Cacti/cacti/issues/1566
hardening against cookie theft

security#1985: Cookie should be properly verified against password
https://github.com/Cacti/cacti/issues/1985
If the password has been verified and the "Save password" option ticked during login, a cookie is created which links to the username. However, if the password is changed, the cookie will still be valid thus allowing someone who had stored the password access when they should not have.

security#3342: CSRF at Admin Email
https://github.com/Cacti/cacti/issues/3342
A malformed GET request at http://192.168.56.106/cacti/auth_profile.php?action=edit can lead to admin email change.

security#3343: Improper Access Control on disabling a user.
https://github.com/Cacti/cacti/issues/3343
 Cacti admin console provides a functionality to disable a created user which takes his privileges to perform any action but if a page is auto-refreshed a disabled user can view updated data.

security#3414: Update to jQuery 3.4.1 to resolve XSS issues with jQuery 3.3.1
https://github.com/Cacti/cacti/issues/3414
jQuery less than version 3.4 versions have an XSS vulnerability.
Comment 1 Andreas Stieger 2020-04-11 13:31:47 UTC 
submitted for the maintainers (no single clear maintainer)
Comment 2 Swamp Workflow Management 2020-04-11 14:21:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1169215) was mentioned in
https://build.opensuse.org/request/show/793099 15.1+Backports:SLE-12 / cacti+cacti-spine
Comment 3 Swamp Workflow Management 2020-04-27 22:14:56 UTC 
openSUSE-SU-2020:0558-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1082318,1122242,1122243,1122244,1122245,1122535,1158990,1158992,1161297,1164675,1169215
CVE References: CVE-2009-4112,CVE-2018-20723,CVE-2018-20724,CVE-2018-20725,CVE-2018-20726,CVE-2019-16723,CVE-2019-17357,CVE-2019-17358,CVE-2020-7106,CVE-2020-7237,CVE-2020-8813
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.11-5.1, cacti-spine-1.2.11-2.1
Comment 4 Swamp Workflow Management 2020-04-27 22:16:50 UTC 
openSUSE-SU-2020:0558-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1082318,1122242,1122243,1122244,1122245,1122535,1158990,1158992,1161297,1164675,1169215
CVE References: CVE-2009-4112,CVE-2018-20723,CVE-2018-20724,CVE-2018-20725,CVE-2018-20726,CVE-2019-16723,CVE-2019-17357,CVE-2019-17358,CVE-2020-7106,CVE-2020-7237,CVE-2020-8813
Sources used:
openSUSE Leap 15.1 (src):    cacti-1.2.11-lp151.3.6.1, cacti-spine-1.2.11-lp151.3.6.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.11-5.1, cacti-spine-1.2.11-2.1
Comment 5 Swamp Workflow Management 2020-04-30 19:23:36 UTC 
openSUSE-SU-2020:0565-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1082318,1122242,1122243,1122244,1122245,1122535,1158990,1158992,1161297,1164675,1169215
CVE References: CVE-2009-4112,CVE-2018-20723,CVE-2018-20724,CVE-2018-20725,CVE-2018-20726,CVE-2019-16723,CVE-2019-17357,CVE-2019-17358,CVE-2020-7106,CVE-2020-7237,CVE-2020-8813
Sources used:
openSUSE Backports SLE-15-SP1 (src):    cacti-1.2.11-bp151.4.6.1, cacti-spine-1.2.11-bp151.4.6.1
Comment 6 Alexandros Toptsoglou 2020-05-04 12:19:15 UTC 
Done
Comment 7 Andreas Stieger 2020-05-24 18:58:50 UTC 
*** Bug 1171986 has been marked as a duplicate of this bug. ***
Comment 8 Andreas Stieger 2020-05-24 18:59:31 UTC 
*** Bug 1171987 has been marked as a duplicate of this bug. ***
Comment 9 Andreas Stieger 2020-05-24 19:01:12 UTC 
CVE assigned after our update:

CVE-2020-13230

In Cacti before 1.2.11, disabling a user account does not immediately
invalidate any permissions granted to that account (e.g., permission to
view logs).

CVE-2020-13231

In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an
admin email change.