Unauthenticated Command Injection

[netniV]

Describe the bug

A bug exists where the proxy headers are incorrectly checked when not needed which can be used to bypass IP based security

Expected behavior

Cacti should only check the headers an admin defines as being set

[netniV]

This was fixed as part of the security advisory GHSA-6p93-p743-35gf

[netniV]

@paulgevers, @mortenstevens, If you aren't already aware, you should review this issue and take appropriate steps.

[paulgevers]

@netniV thanks for the heads up. As I understand this issue, this is mostly for tracking purposes, and the actual fix is already available for a month right?

As can be seen in the Debian Security Tracker, this issue has been fixed in Debian in the supported suites.

Ubuntu is tracking it in bug 2001535.

[netniV]

That's good, nice to see our users actively passing the information on 👍

[mortenstevens]

Fedora Updates:
https://bodhi.fedoraproject.org/updates/FEDORA-2023-d4085a681f
https://bodhi.fedoraproject.org/updates/FEDORA-2023-788d505ddc

EPEL / RHEL Updates:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-afa80a1455
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e970b01696
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-0bb464071b

[netniV]

Thanks for updating us @mortenstevens! Haven't heard from you in a while, hope things are well!

[TheWitness]

Thanks guys!

[mortenstevens]

@netniV Thanks for asking. Everything is great, but I'm very busy with my company at the moment.