cnvd - cnvd-2017-11306

cnvd-2017-11306

Vulnerability from cnvd

Title: Cisco Prime Infrastructure和Cisco Evolved Programmable Network Manager SQL注入漏洞

Description:

Cisco Prime Infrastructure（PI）和Cisco Evolved Programmable Network Manager（EPNM）都是美国思科（Cisco）公司的产品。PI是一套通过Cisco Prime LAN Management Solution（LMS）和Cisco Prime Network Control System（NCS）技术进行无线管理的解决方案；EPNM是一套网络管理解决方案。

Cisco PI和EPNM中的SQL数据库界面存在SQL注入漏洞，该漏洞源于程序未能充分的正确验证SQL查询中用户提交的输入。远程攻击者可通过向受影响的应用程序中发送带有恶意SQL语句的URLs利用该漏洞影响应用程序的完整性和保密性。

Severity: 中

Patch Name: Cisco Prime Infrastructure和Cisco Evolved Programmable Network Manager SQL注入漏洞的补丁

Patch Description:

Cisco PI和EPNM中的SQL数据库界面存在SQL注入漏洞，该漏洞源于程序未能充分的正确验证SQL查询中用户提交的输入。远程攻击者可通过向受影响的应用程序中发送带有恶意SQL语句的URLs利用该漏洞影响应用程序的完整性和保密性。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm2

Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm1

Impacted products

Name
['Cisco Prime Infrastructure', 'Cisco Evolved Programmable Network Manager 0', 'Cisco Prime Infrastructure Cisco Prime Infrastructure 1.1 － 3.1.6', 'Cisco Prime Infrastructure 3.1(1)', 'Cisco Network Level Service 2.0(4.0.45B)']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-6698"
    }
  },
  "description": "Cisco Prime Infrastructure\uff08PI\uff09\u548cCisco Evolved Programmable Network Manager\uff08EPNM\uff09\u90fd\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002PI\u662f\u4e00\u5957\u901a\u8fc7Cisco Prime LAN Management Solution\uff08LMS\uff09\u548cCisco Prime Network Control System\uff08NCS\uff09\u6280\u672f\u8fdb\u884c\u65e0\u7ebf\u7ba1\u7406\u7684\u89e3\u51b3\u65b9\u6848\uff1bEPNM\u662f\u4e00\u5957\u7f51\u7edc\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nCisco PI\u548cEPNM\u4e2d\u7684SQL\u6570\u636e\u5e93\u754c\u9762\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7684\u6b63\u786e\u9a8c\u8bc1SQL\u67e5\u8be2\u4e2d\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u4e2d\u53d1\u9001\u5e26\u6709\u6076\u610fSQL\u8bed\u53e5\u7684URLs\u5229\u7528\u8be5\u6f0f\u6d1e\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u7684\u5b8c\u6574\u6027\u548c\u4fdd\u5bc6\u6027\u3002",
  "discovererName": "Pichaya Morimoto",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm2",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-11306",
  "openTime": "2017-06-26",
  "patchDescription": "Cisco Prime Infrastructure\uff08PI\uff09\u548cCisco Evolved Programmable Network Manager\uff08EPNM\uff09\u90fd\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002PI\u662f\u4e00\u5957\u901a\u8fc7Cisco Prime LAN Management Solution\uff08LMS\uff09\u548cCisco Prime Network Control System\uff08NCS\uff09\u6280\u672f\u8fdb\u884c\u65e0\u7ebf\u7ba1\u7406\u7684\u89e3\u51b3\u65b9\u6848\uff1bEPNM\u662f\u4e00\u5957\u7f51\u7edc\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nCisco PI\u548cEPNM\u4e2d\u7684SQL\u6570\u636e\u5e93\u754c\u9762\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7684\u6b63\u786e\u9a8c\u8bc1SQL\u67e5\u8be2\u4e2d\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u4e2d\u53d1\u9001\u5e26\u6709\u6076\u610fSQL\u8bed\u53e5\u7684URLs\u5229\u7528\u8be5\u6f0f\u6d1e\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u7684\u5b8c\u6574\u6027\u548c\u4fdd\u5bc6\u6027\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Prime Infrastructure\u548cCisco Evolved Programmable Network Manager SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Cisco Prime Infrastructure",
      "Cisco Evolved Programmable Network Manager 0",
      "Cisco Prime Infrastructure Cisco Prime Infrastructure 1.1 \uff0d 3.1.6",
      "Cisco Prime Infrastructure  3.1(1)",
      "Cisco Network Level Service 2.0(4.0.45B)"
    ]
  },
  "referenceLink": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm1",
  "serverity": "\u4e2d",
  "submitTime": "2017-06-23",
  "title": "Cisco Prime Infrastructure\u548cCisco Evolved Programmable Network Manager SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2017-6698 (GCVE-0-2017-6698)

Vulnerability from cvelistv5

Published

2017-07-04 00:00

Modified

2024-08-05 15:41

Severity ?

CWE

SQL Injection Vulnerability

Summary

A vulnerability in the Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) SQL database interface could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. More Information: CSCvc23892 CSCvc35270 CSCvc35626 CSCvc35630 CSCvc49568. Known Affected Releases: 3.1(1) 2.0(4.0.45B).

References

▼	URL	Tags
	http://www.securitytracker.com/id/1038751	vdb-entry, x_refsource_SECTRACK
	http://www.securityfocus.com/bid/99214	vdb-entry, x_refsource_BID
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm2	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	Cisco Prime Infrastructure and Evolved Programmable Network Manager	Version: Cisco Prime Infrastructure and Evolved Programmable Network Manager

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:41:16.119Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1038751",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038751"
          },
          {
            "name": "99214",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/99214"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Prime Infrastructure and Evolved Programmable Network Manager",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Cisco Prime Infrastructure and Evolved Programmable Network Manager"
            }
          ]
        }
      ],
      "datePublic": "2017-07-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) SQL database interface could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. More Information: CSCvc23892 CSCvc35270 CSCvc35626 CSCvc35630 CSCvc49568. Known Affected Releases: 3.1(1) 2.0(4.0.45B)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "SQL Injection Vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-06T09:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "1038751",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038751"
        },
        {
          "name": "99214",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/99214"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm2"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2017-6698",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Prime Infrastructure and Evolved Programmable Network Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Cisco Prime Infrastructure and Evolved Programmable Network Manager"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) SQL database interface could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. More Information: CSCvc23892 CSCvc35270 CSCvc35626 CSCvc35630 CSCvc49568. Known Affected Releases: 3.1(1) 2.0(4.0.45B)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "SQL Injection Vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1038751",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038751"
            },
            {
              "name": "99214",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/99214"
            },
            {
              "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm2",
              "refsource": "CONFIRM",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm2"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2017-6698",
    "datePublished": "2017-07-04T00:00:00",
    "dateReserved": "2017-03-09T00:00:00",
    "dateUpdated": "2024-08-05T15:41:16.119Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted