cnvd - cnvd-2018-04494

cnvd-2018-04494

Vulnerability from cnvd

Title: Trend Micro Email Encryption Gateway SQL注入漏洞（CNVD-2018-04494）

Description:

Trend Micro Email Encryption是美国趋势科技（Trend Micro）公司的一套基于身份的具有电子邮件加密功能的解决方案。Trend Micro Email Encryption Gateway（TMEEG）是其中的一个提供数据保护的网关产品。

Trend Micro Email Encryption Gateway 5.5 Build 1111及之前版本中的搜索配置脚本存在SQL注入漏洞，该漏洞源于程序未能过滤emailSearch.jsp脚本中的‘SearchString’参数。远程攻击者可借助‘SearchString’参数向emailSearch.jsp脚本发送特制的SQL语句利用该漏洞查看、添加、更改或删除后端数据库中的信息。

Severity: 高

Patch Name: Trend Micro Email Encryption Gateway SQL注入漏洞（CNVD-2018-04494）的补丁

Patch Description:

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://success.trendmicro.com/solution/1119349-security-bulletin-trend-micro-email-encryption-gateway-5-5-multiple-vulnerabilities

Reference: http://seclists.org/fulldisclosure/2018/Feb/60

Impacted products

Name
Trend Micro Email Encryption Gateway (TMEEG) <=5.5 Build 1111

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-6230"
    }
  },
  "description": "Trend Micro Email Encryption\u662f\u7f8e\u56fd\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8e\u8eab\u4efd\u7684\u5177\u6709\u7535\u5b50\u90ae\u4ef6\u52a0\u5bc6\u529f\u80fd\u7684\u89e3\u51b3\u65b9\u6848\u3002Trend Micro Email Encryption Gateway\uff08TMEEG\uff09\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u63d0\u4f9b\u6570\u636e\u4fdd\u62a4\u7684\u7f51\u5173\u4ea7\u54c1\u3002\r\n\r\nTrend Micro Email Encryption Gateway 5.5 Build 1111\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u7684\u641c\u7d22\u914d\u7f6e\u811a\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u8fc7\u6ee4emailSearch.jsp\u811a\u672c\u4e2d\u7684\u2018SearchString\u2019\u53c2\u6570\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u2018SearchString\u2019\u53c2\u6570\u5411emailSearch.jsp\u811a\u672c\u53d1\u9001\u7279\u5236\u7684SQL\u8bed\u53e5\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u3001\u6dfb\u52a0\u3001\u66f4\u6539\u6216\u5220\u9664\u540e\u7aef\u6570\u636e\u5e93\u4e2d\u7684\u4fe1\u606f\u3002",
  "discovererName": "Leandro Barragan and Maximiliano Vidal from Core Security Consulting Service",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://success.trendmicro.com/solution/1119349-security-bulletin-trend-micro-email-encryption-gateway-5-5-multiple-vulnerabilities",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-04494",
  "openTime": "2018-03-07",
  "patchDescription": "Trend Micro Email Encryption\u662f\u7f8e\u56fd\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8e\u8eab\u4efd\u7684\u5177\u6709\u7535\u5b50\u90ae\u4ef6\u52a0\u5bc6\u529f\u80fd\u7684\u89e3\u51b3\u65b9\u6848\u3002Trend Micro Email Encryption Gateway\uff08TMEEG\uff09\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u63d0\u4f9b\u6570\u636e\u4fdd\u62a4\u7684\u7f51\u5173\u4ea7\u54c1\u3002\r\n\r\nTrend Micro Email Encryption Gateway 5.5 Build 1111\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u7684\u641c\u7d22\u914d\u7f6e\u811a\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u8fc7\u6ee4emailSearch.jsp\u811a\u672c\u4e2d\u7684\u2018SearchString\u2019\u53c2\u6570\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u2018SearchString\u2019\u53c2\u6570\u5411emailSearch.jsp\u811a\u672c\u53d1\u9001\u7279\u5236\u7684SQL\u8bed\u53e5\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u3001\u6dfb\u52a0\u3001\u66f4\u6539\u6216\u5220\u9664\u540e\u7aef\u6570\u636e\u5e93\u4e2d\u7684\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Trend Micro Email Encryption Gateway SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2018-04494\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Trend Micro Email Encryption Gateway (TMEEG) \u003c=5.5 Build 1111"
  },
  "referenceLink": "http://seclists.org/fulldisclosure/2018/Feb/60",
  "serverity": "\u9ad8",
  "submitTime": "2018-02-23",
  "title": "Trend Micro Email Encryption Gateway SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2018-04494\uff09"
}

CVE-2018-6230 (GCVE-0-2018-6230)

Vulnerability from cvelistv5

Published

2018-03-15 19:00

Modified

2024-08-05 06:01

Severity ?

CWE

SQL Injection

Summary

A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 search configuration script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system.

References

▼	URL	Tags
	https://www.exploit-db.com/exploits/44166/	exploit, x_refsource_EXPLOIT-DB
	https://success.trendmicro.com/solution/1119349	x_refsource_CONFIRM
	https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Trend Micro	Trend Micro Email Encryption Gateway	Version: 5.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:01:47.658Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "44166",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/44166/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://success.trendmicro.com/solution/1119349"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Trend Micro Email Encryption Gateway",
          "vendor": "Trend Micro",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            }
          ]
        }
      ],
      "datePublic": "2018-03-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 search configuration script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "SQL Injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-16T09:57:01",
        "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
        "shortName": "trendmicro"
      },
      "references": [
        {
          "name": "44166",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/44166/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://success.trendmicro.com/solution/1119349"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@trendmicro.com",
          "ID": "CVE-2018-6230",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Trend Micro Email Encryption Gateway",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Trend Micro"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 search configuration script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "SQL Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "44166",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/44166/"
            },
            {
              "name": "https://success.trendmicro.com/solution/1119349",
              "refsource": "CONFIRM",
              "url": "https://success.trendmicro.com/solution/1119349"
            },
            {
              "name": "https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities",
              "refsource": "MISC",
              "url": "https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
    "assignerShortName": "trendmicro",
    "cveId": "CVE-2018-6230",
    "datePublished": "2018-03-15T19:00:00",
    "dateReserved": "2018-01-25T00:00:00",
    "dateUpdated": "2024-08-05T06:01:47.658Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted