CVE-2023-39361
Published: 05 September 2023
Summary
CVE-2023-39361 is a critical-severity SQL Injection (CWE-89) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Cacti, an open source operational monitoring and fault management framework, contains a SQL injection vulnerability in graph_view.php that affects versions prior to 1.2.25. The flaw is tracked as CWE-89 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack complexity that requires no authentication or user interaction.
Unauthenticated guest users, enabled by default, can reach graph_view.php and supply crafted input that triggers the injection. Successful exploitation may allow attackers to escalate privileges to administrative level or achieve remote code execution on the underlying server.
The project has released version 1.2.25 to correct the issue, and administrators are advised to upgrade immediately; the advisory states there are no known workarounds. Multiple distribution lists, including Debian LTS and Fedora, have published coordinated update notifications referencing the same fix.
The associated EPSS score remains elevated near its recorded peak of 0.93, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-43087
Vulnerability details
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an…
more
enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.