Tuesday, 11 July 2017
On 00:15 by admin in vulns No comments
A vulnerability was found in EMC Data Protection Advisor up to 6.3. It has been classified as critical. This affects an unknown function. The manipulation with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. This is going to have an impact on confidentiality, integrity, and availability. An attacker might be able inject and/or alter existing SQL statements which would influence the database exchange.
The weakness was released 07/09/2017 as mailinglist post (Full-Disclosure). The advisory is shared for download at seclists.org. This vulnerability is uniquely identified as CVE-2017-8002 since 04/21/2017. It is possible to initiate the attack remotely. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 07/10/2017).
Upgrading to version 6.4 eliminates this vulnerability.
CVSSv3
VulDB Temp Score: ≈6.0
VulDB Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:X
VulDB Reliability: Medium
CVSSv2
VulDB Base Score: ≈6.0 (CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P)VulDB Temp Score: ≈5.2 (CVSS2#E:ND/RL:OF/RC:ND)
VulDB Reliability: Medium
CPE
- cpe:/a:emc:data_protection_advisor:6.0
- cpe:/a:emc:data_protection_advisor:6.1
- cpe:/a:emc:data_protection_advisor:6.2
- cpe:/a:emc:data_protection_advisor:6.3
Exploiting
Class: Sql injection (CWE-89)Local: No
Remote: Yes
Availability: No
Price Prediction: steady
Current Price Estimation:
0-Day | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
---|---|---|---|---|
Today | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found
Upgrade: Data Protection Advisor 6.4
Timeline
04/21/2017 CVE assigned07/09/2017 +79 days Advisory disclosed
07/10/2017 +1 days VulDB entry created
07/10/2017 +0 days VulDB last update
Sources
Advisory: seclists.orgCVE: CVE-2017-8002 (mitre.org) (nvd.nist.org) (cvedetails.com)
Subscribe to:
Post Comments (Atom)
Search
Featured post
27 good hacker documentary
In the eyes of most people, a group of hackers usually extremely boring nothing interesting people, and that if only the computer code in ...

0 comments:
Post a comment