CVE-2019-6986

Опубликовано: 28 янв. 2019

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.

Ссылки

http://packetstormsecurity.com/files/172838/VIVO-SPARQL-Injection.html
https://github.com/kevinbackhouse/SecurityExploits/tree/0ec74459ac53685a7959ed58d580ef8abece3685/vivo-project
Exploit
Third Party Advisory
https://github.com/vivo-project/Vitro/pull/111
Patch
Third Party Advisory
http://packetstormsecurity.com/files/172838/VIVO-SPARQL-Injection.html
https://github.com/kevinbackhouse/SecurityExploits/tree/0ec74459ac53685a7959ed58d580ef8abece3685/vivo-project
Exploit
Third Party Advisory
https://github.com/vivo-project/Vitro/pull/111
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:duraspace:vitro:1.10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 77%

0.01079

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-77

Связанные уязвимости

GHSA-hgq9-q8g2-3jmg