Описание
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
A flaw was found in the SQL plugin shipped with Cyrus SASL. The vulnerability occurs due to failure to properly escape SQL input and leads to an improper input validation vulnerability. This flaw allows an attacker to execute arbitrary SQL commands and the ability to change the passwords for other accounts allowing escalation of privileges.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 9 | cyrus-sasl | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | cyrus-sasl | Out of support scope | ||
| Red Hat Enterprise Linux 6 Extended Lifecycle Support | cyrus-sasl | Fixed | RHSA-2022:0780 | 08.03.2022 |
| Red Hat Enterprise Linux 7 | cyrus-sasl | Fixed | RHSA-2022:0666 | 24.02.2022 |
| Red Hat Enterprise Linux 8 | cyrus-sasl | Fixed | RHSA-2022:0658 | 23.02.2022 |
| Red Hat Enterprise Linux 8 | cyrus-sasl | Fixed | RHSA-2022:0658 | 23.02.2022 |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | cyrus-sasl | Fixed | RHSA-2022:0730 | 02.03.2022 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | cyrus-sasl | Fixed | RHSA-2022:0731 | 02.03.2022 |
| Red Hat Enterprise Linux 8.4 Extended Update Support | cyrus-sasl | Fixed | RHSA-2022:0668 | 24.02.2022 |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | redhat-virtualization-host | Fixed | RHSA-2022:1263 | 07.04.2022 |
Показывать по
Дополнительная информация
Статус:
8.8 High
CVSS3
Связанные уязвимости
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does ...
8.8 High
CVSS3