cve/2024/CVE-2024-29895.md

### [CVE-2024-29895](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29895)
![](https://img.shields.io/static/v1?label=Product&message=cacti&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3D%201.3.x%20DEV%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-77%3A%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20a%20Command%20('Command%20Injection')&color=brighgreen)

### Description

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

### POC

#### Reference
- https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m

#### Github
- https://github.com/Ostorlab/KEV
- https://github.com/Rubioo02/CVE-2024-29895
- https://github.com/Stuub/CVE-2024-29895-CactiRCE-PoC
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/secunnix/CVE-2024-29895
- https://github.com/ticofookfook/CVE-2024-29895.py