CVE-2014-3997

Опубликовано: 05 дек. 2014

Источник: nvd

CVSS2: 7.5

EPSS Низкий

Описание

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.

Ссылки

http://seclists.org/fulldisclosure/2014/Aug/55
Exploit
Mailing List
Third Party Advisory
http://seclists.org/fulldisclosure/2014/Aug/85
Exploit
Mailing List
Third Party Advisory
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txt
Exploit
https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb
Exploit
http://seclists.org/fulldisclosure/2014/Aug/55
Exploit
Mailing List
Third Party Advisory
http://seclists.org/fulldisclosure/2014/Aug/85
Exploit
Mailing List
Third Party Advisory
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txt
Exploit
https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb
Exploit

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.0:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.1:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.2:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.3:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.4:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.0:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.0:build6002:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.1:build6104:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.2:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.2:build6201:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.3:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6401:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6402:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6403:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6404:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6503:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6504:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6505:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.6:build6600:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.7:build6700:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.7:build6701:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6800:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6801:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6802:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6803:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6900:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6901:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6902:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6903:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6904:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:*:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7000:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7001:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7002:*:*:-:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7003:*:*:-:*:*:*

Конфигурация 2

Одно из

cpe:2.3:a:zohocorp:manageengine_it360:*:*:*:*:-:*:*:*

Версия до 10.3.3 (включая)

cpe:2.3:a:zohocorp:manageengine_it360:*:*:*:*:managed_service_providers:*:*:*

Версия до 10.3.3 (включая)

Конфигурация 3

Одно из

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.0:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.1:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.2:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.3:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.4:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.0:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.0:build6002:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.1:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.1:build6104:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.2:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.2:build6201:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.3:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6401:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6402:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6403:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6404:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6503:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6504:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6505:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.6:build6600:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.7:build6700:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.7:build6701:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6800:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6801:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6802:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6803:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6900:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6901:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6902:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6903:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6904:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:*:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7000:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7001:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7002:*:*:managed_service_providers:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7003:*:*:managed_service_providers:*:*:*

EPSS

Процентиль: 79%

0.0129

Низкий

7.5 High

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-72w4-9phv-wp38

github

больше 3 лет назад

EPSS

Процентиль: 79%

0.0129

Низкий

7.5 High

CVSS2

Дефекты

CWE-89