CVE-2023-30534 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2023-30534 Interim 1 7 2026-03-05T03:43:31Z current 2023-09-07T23:20:28Z 2026-03-05T03:43:31Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2023-30534 Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti's vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn't used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JFJCU2NOOFCO7XJZOUW2BQ6HWJMHSYSN/ E-Mail link for openSUSE-SU-2023:0275-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 12 SUSE Package Hub 15 SP4 SUSE Package Hub 15 SP5 openSUSE Leap 15.4 openSUSE Leap 15.5 openSUSE Tumbleweed cacti-1.2.25-2.1 cacti-1.2.25-35.1 cacti-1.2.25-bp154.2.9.1 cacti-1.2.25-bp155.2.3.1 cacti-spine-1.2.25-29.1 cacti-spine-1.2.25-bp154.2.9.1 cacti-spine-1.2.25-bp155.2.3.1 cacti-1.2.25-35.1 as a component of SUSE Package Hub 12 cacti-spine-1.2.25-29.1 as a component of SUSE Package Hub 12 cacti-1.2.25-bp154.2.9.1 as a component of SUSE Package Hub 15 SP4 cacti-spine-1.2.25-bp154.2.9.1 as a component of SUSE Package Hub 15 SP4 cacti-1.2.25-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 cacti-spine-1.2.25-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 cacti-1.2.25-bp154.2.9.1 as a component of openSUSE Leap 15.4 cacti-spine-1.2.25-bp154.2.9.1 as a component of openSUSE Leap 15.4 cacti-1.2.25-bp155.2.3.1 as a component of openSUSE Leap 15.5 cacti-spine-1.2.25-bp155.2.3.1 as a component of openSUSE Leap 15.5 cacti-1.2.25-2.1 as a component of openSUSE Tumbleweed Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti's vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn't used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-30534 SUSE Package Hub 12:cacti-1.2.25-35.1 SUSE Package Hub 12:cacti-spine-1.2.25-29.1 SUSE Package Hub 15 SP4:cacti-1.2.25-bp154.2.9.1 SUSE Package Hub 15 SP4:cacti-spine-1.2.25-bp154.2.9.1 SUSE Package Hub 15 SP5:cacti-1.2.25-bp155.2.3.1 SUSE Package Hub 15 SP5:cacti-spine-1.2.25-bp155.2.3.1 openSUSE Leap 15.4:cacti-1.2.25-bp154.2.9.1 openSUSE Leap 15.4:cacti-spine-1.2.25-bp154.2.9.1 openSUSE Leap 15.5:cacti-1.2.25-bp155.2.3.1 openSUSE Leap 15.5:cacti-spine-1.2.25-bp155.2.3.1 openSUSE Tumbleweed:cacti-1.2.25-2.1 moderate 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N