Cacti vulnerability in `compat_password_verify` function
CVE-2024-34340

9.1CRITICAL

Key Information:

Vendor: Cacti
Status: Cacti
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-34340?

Cacti, an operational monitoring and fault management framework, has a vulnerability stemming from its password verification method prior to version 1.2.27. The issue arises in the compat_password_verify component, where comparisons of md5-hashed user input and the stored password in the database utilize a loose comparison method ($md5 == $hash). This can lead to type juggling vulnerabilities, potentially allowing unauthorized parties to gain access to user accounts. A patch addressing this vulnerability was released in version 1.2.27.

Affected Version(s)

cacti < 1.2.27

References

https://github.com/Cacti/cacti/security/advisories/GHSA-3...

x_refsource_CONFIRM

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
May 2, 2024