CVE-2024-29895 - Vulnerability Details - OpenCVE

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.93144.

Key SSVC decision points have not yet been added.

Vendors	Products
Cacti	Cacti

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Cacti	Cacti

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119
https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d
https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-13T14:33:27.594Z

Updated: 2024-08-02T01:17:58.192Z

Reserved: 2024-03-21T15:12:08.998Z

Link: CVE-2024-29895

Vulnrichment

Updated: 2024-08-02T01:17:58.192Z

NVD

Status : Awaiting Analysis

Published: 2024-05-14T15:17:15.593

Modified: 2024-11-21T09:08:34.137

Link: CVE-2024-29895

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-07-12T22:00:57Z

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29895", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-21T15:12:08.998Z", "datePublished": "2024-05-13T14:33:27.594Z", "dateUpdated": "2024-08-02T01:17:58.192Z"}, "containers": {"cna": {"title": "Cacti command injection in cmd_realtime.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m"}, {"name": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d"}, {"name": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc"}, {"name": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119"}], "affected": [{"vendor": "Cacti", "product": "cacti", "versions": [{"version": "= 1.3.x DEV", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-13T14:33:27.594Z"}, "descriptions": [{"lang": "en", "value": "Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc."}], "source": {"advisory": "GHSA-cr28-x256-xf5m", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29895", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-13T17:31:11.680843Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cacti:cacti:1.3.0:*:*:*:*:*:*:*"], "vendor": "cacti", "product": "cacti", "versions": [{"status": "affected", "version": "1.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:56:45.934Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:17:58.192Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m"}, {"name": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d"}, {"name": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc"}, {"name": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m", "name": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d", "name": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc", "name": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119", "name": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:17:58.192Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29895", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-13T17:31:11.680843Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cacti:cacti:1.3.0:*:*:*:*:*:*:*"], "vendor": "cacti", "product": "cacti", "versions": [{"status": "affected", "version": "1.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-13T17:28:39.321Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Cacti command injection in cmd_realtime.php", "source": {"advisory": "GHSA-cr28-x256-xf5m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Cacti", "product": "cacti", "versions": [{"status": "affected", "version": "= 1.3.x DEV"}]}], "references": [{"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m", "name": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d", "name": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc", "name": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119", "name": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-13T14:33:27.594Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29895", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:17:58.192Z", "dateReserved": "2024-03-21T15:12:08.998Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-13T14:33:27.594Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc."}, {"lang": "es", "value": "Cacti proporciona un framework de monitoreo operativo y gesti\u00f3n de fallas. Una vulnerabilidad de inyecci\u00f3n de comandos en la rama DEV 1.3.x permite que cualquier usuario no autenticado ejecute comandos arbitrarios en el servidor cuando la opci\u00f3n `register_argc_argv` de PHP est\u00e1 `activada`. En la l\u00ednea 119 de `cmd_realtime.php`, el `$poller_id` usado como parte de la ejecuci\u00f3n del comando proviene de `$_SERVER['argv']`, que puede controlarse mediante URL cuando la opci\u00f3n `register_argc_argv` de PHP est\u00e1 activada. `. Y esta opci\u00f3n est\u00e1 \"activada\" de forma predeterminada en muchos entornos, como la imagen principal de PHP Docker para PHP. el commit 53e8014d1f082034e0646edc6286cde3800c683d contiene un parche para el problema, pero este commit se revirti\u00f3 en el commit 99633903cad0de5ace636249de16f77e57a3c8fc."}], "id": "CVE-2024-29895", "lastModified": "2024-11-21T09:08:34.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T15:17:15.593", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119"}, {"source": "security-advisories@github.com", "url": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d"}, {"source": "security-advisories@github.com", "url": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc"}, {"source": "security-advisories@github.com", "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security-advisories@github.com", "type": "Secondary"}]}