CVE-2023-30534
Published: 05 September 2023
Summary
CVE-2023-30534 is a medium-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Fedoraproject Fedora. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Cacti, an open source operational monitoring and fault management framework, contains two instances of insecure deserialization in version 1.2.24. The flaws stem from direct use of PHP’s unserialize function on unsanitized user input in graphs_new.php within the host_new_graphs_save function, bypassing the application’s own safe deserialization routine. Although a gadget chain exists in the phpseclib library shipped in the vendor directory, the required gadgets are absent, rendering the deserializations non-exploitable in practice. The issue is tracked as CWE-502 and received a CVSS 3.1 score of 4.3.
An authenticated user with network access can supply crafted serialized data to the affected endpoint, but the missing gadgets prevent any meaningful object injection or subsequent code execution. The vulnerability therefore yields at most limited confidentiality impact under the stated attack vector.
The project addressed the issue in release 1.2.25. Administrators are advised to upgrade; no workarounds are documented. Public advisories, including the GitHub Security Advisory and downstream Fedora notices, reiterate the upgrade path and confirm the non-exploitable status due to absent gadgets.
The associated EPSS score has remained in the 0.52–0.55 range without a pronounced post-disclosure climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34927
Vulnerability details
Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making…
more
them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.