Cyber Resilience

CVE-2023-39361

CriticalPublic PoC

Published: 05 September 2023

Published
05 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9264 99.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-39361 is a critical-severity SQL Injection (CWE-89) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Cacti, an open source operational monitoring and fault management framework, contains a SQL injection vulnerability in graph_view.php that affects versions prior to 1.2.25. The flaw is tracked as CWE-89 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack complexity that requires no authentication or user interaction.

Unauthenticated guest users, enabled by default, can reach graph_view.php and supply crafted input that triggers the injection. Successful exploitation may allow attackers to escalate privileges to administrative level or achieve remote code execution on the underlying server.

The project has released version 1.2.25 to correct the issue, and administrators are advised to upgrade immediately; the advisory states there are no known workarounds. Multiple distribution lists, including Debian LTS and Fedora, have published coordinated update notifications referencing the same fix.

The associated EPSS score remains elevated near its recorded peak of 0.93, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an…

more

enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cacti
cacti
1.2.24
fedoraproject
fedora
37, 38

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References