cscli scenarios install crowdsecurity/CVE-2022-46169Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.
1type: leaky2name: crowdsecurity/CVE-2022-46169-bf3description: "Detect CVE-2022-46169 brute forcing"4filter: |5 Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&6 Upper(evt.Parsed.verb) == 'GET' &&7 Lower(evt.Parsed.http_args) contains 'host_id' &&8 Lower(evt.Parsed.http_args) contains 'local_data_ids'9leakspeed: "10s"10capacity: 511blackhole: 1m12groupby: "evt.Meta.source_ip"13labels:14 type: exploit15 remediation: true16 classification:17 - attack.T159218 - cve.CVE-2022-4616919 spoofable: 020 confidence: 321 behavior: "http:bruteforce"22 label: "Cacti CVE-2022-46169"23 service: cacti24---25type: trigger26name: crowdsecurity/CVE-2022-46169-cmd27description: "Detect CVE-2022-46169 cmd injection"28filter: |29 Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&30 Upper(evt.Parsed.verb) == 'GET' &&31 Lower(evt.Parsed.http_args) contains 'action=polldata' &&32 Lower(evt.Parsed.http_args) matches 'poller_id=.*(;|%3b)'33blackhole: 1m34groupby: "evt.Meta.source_ip"35labels:36 type: exploit37 remediation: true38 classification:39 - attack.T159540 - attack.T119041 - cve.CVE-2022-4616942 spoofable: 043 confidence: 344 behavior: "http:exploit"45 label: "Cacti CVE-2022-46169"46 service: cacti47