PT-2024-25797 · Cacti+3 · Cacti+3

Delsploit

Published

2023-07-13

Updated

2025-01-24

CVE-2024-34340

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.27

Description Cacti provides an operational monitoring and fault management framework. The issue lies in the compat password verify function, where md5-hashed user input is compared with the correct password in the database using a loose comparison ($md5 == $hash), which is a type juggling vulnerability. This vulnerability affects versions prior to 1.2.27.

Recommendations For versions prior to 1.2.27, update to version 1.2.27 or later, which contains a patch for the issue. As a temporary workaround, consider modifying the compat password verify function to use a strict comparison (===) instead of a loose comparison (==). Restrict access to the compat password verify function to minimize the risk of exploitation.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-697

Related Identifiers

ALT-PU-2023-4394

ALT-PU-2023-4396

ALT-PU-2023-5196

ALT-PU-2024-17822

ALT-PU-2025-1813

CVE-2024-34340

DLA-3884-1

GHSA-37X7-MFJV-MM7M

OPENSUSE-SU-2024:0274-1

OPENSUSE-SU-2024:0276-1

OPENSUSE-SU-2024:13962-1

USN-6969-1

Affected Products

Alt Linux

Cacti

Linuxmint

Ubuntu

PT-2024-25797 · Cacti+3 · Cacti+3

CVE-2024-34340

Weakness Enumeration

Related Identifiers

Affected Products

References · 71