cnvd - cnvd-2020-31978

cnvd-2020-31978

Vulnerability from cnvd

Title: Cisco Prime Infrastructure Software SQL注入漏洞

Description:

Cisco Prime Infrastructure Software是美国思科（Cisco）公司的一套基础网络生命周期管理解决方案。该产品集成了Cisco Prime LAN Management Solution（LMS）和Cisco Prime Network Control System（NCS）。

Cisco Prime Infrastructure Software 3.7.1 Update 01之前版本和3.8 Update 02之前版本中的基于Web的管理界面存在SQL注入漏洞，该漏洞源于程序未正确验证用户提交的参数。攻击者可通过对应用程序进行身份验证并将恶意请求发送到受影响的系统利用该漏洞获得和修改存储在底层数据库中的敏感信息。

Severity: 中

Patch Name: Cisco Prime Infrastructure Software SQL注入漏洞的补丁

Patch Description:

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-sql-inj-KGLLsFw8

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-3339

Impacted products

Name
['Cisco Prime Infrastructure Software <3.7.1 Update 01', 'Cisco Prime Infrastructure Software <3.8 Update 02']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-3339"
    }
  },
  "description": "Cisco Prime Infrastructure Software\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u7840\u7f51\u7edc\u751f\u547d\u5468\u671f\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u96c6\u6210\u4e86Cisco Prime LAN Management Solution\uff08LMS\uff09\u548cCisco Prime Network Control System\uff08NCS\uff09\u3002\n\nCisco Prime Infrastructure Software 3.7.1 Update 01\u4e4b\u524d\u7248\u672c\u548c3.8 Update 02\u4e4b\u524d\u7248\u672c\u4e2d\u7684\u57fa\u4e8eWeb\u7684\u7ba1\u7406\u754c\u9762\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u6b63\u786e\u9a8c\u8bc1\u7528\u6237\u63d0\u4ea4\u7684\u53c2\u6570\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5bf9\u5e94\u7528\u7a0b\u5e8f\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u5e76\u5c06\u6076\u610f\u8bf7\u6c42\u53d1\u9001\u5230\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u5f97\u548c\u4fee\u6539\u5b58\u50a8\u5728\u5e95\u5c42\u6570\u636e\u5e93\u4e2d\u7684\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-sql-inj-KGLLsFw8",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-31978",
  "openTime": "2020-06-09",
  "patchDescription": "Cisco Prime Infrastructure Software\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u7840\u7f51\u7edc\u751f\u547d\u5468\u671f\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u96c6\u6210\u4e86Cisco Prime LAN Management Solution\uff08LMS\uff09\u548cCisco Prime Network Control System\uff08NCS\uff09\u3002\r\n\r\nCisco Prime Infrastructure Software 3.7.1 Update 01\u4e4b\u524d\u7248\u672c\u548c3.8 Update 02\u4e4b\u524d\u7248\u672c\u4e2d\u7684\u57fa\u4e8eWeb\u7684\u7ba1\u7406\u754c\u9762\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u6b63\u786e\u9a8c\u8bc1\u7528\u6237\u63d0\u4ea4\u7684\u53c2\u6570\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5bf9\u5e94\u7528\u7a0b\u5e8f\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u5e76\u5c06\u6076\u610f\u8bf7\u6c42\u53d1\u9001\u5230\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u5f97\u548c\u4fee\u6539\u5b58\u50a8\u5728\u5e95\u5c42\u6570\u636e\u5e93\u4e2d\u7684\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Prime Infrastructure Software SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Cisco Prime Infrastructure Software \u003c3.7.1 Update 01",
      "Cisco Prime Infrastructure Software \u003c3.8 Update 02"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-3339",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-04",
  "title": "Cisco Prime Infrastructure Software SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2020-3339 (GCVE-0-2020-3339)

Vulnerability from cvelistv5

Published

2020-06-03 17:56

Modified

2024-11-15 17:10

Severity ?

5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-89

Summary

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain and modify sensitive information that is stored in the underlying database.

References

▼	URL	Tags
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-sql-inj-KGLLsFw8	vendor-advisory, x_refsource_CISCO

Impacted products

	Vendor	Product	Version
	Cisco	Cisco Prime Infrastructure	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:30:58.039Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20200603 Cisco Prime Infrastructure SQL Injection Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-sql-inj-KGLLsFw8"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-3339",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-15T16:27:45.602898Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-15T17:10:10.130Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Prime Infrastructure",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2020-06-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain and modify sensitive information that is stored in the underlying database."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-03T17:56:37",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20200603 Cisco Prime Infrastructure SQL Injection Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-sql-inj-KGLLsFw8"
        }
      ],
      "source": {
        "advisory": "cisco-sa-pi-sql-inj-KGLLsFw8",
        "defect": [
          [
            "CSCvt69488"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Prime Infrastructure SQL Injection Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2020-06-03T16:00:00",
          "ID": "CVE-2020-3339",
          "STATE": "PUBLIC",
          "TITLE": "Cisco Prime Infrastructure SQL Injection Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Prime Infrastructure",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain and modify sensitive information that is stored in the underlying database."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "5.4",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20200603 Cisco Prime Infrastructure SQL Injection Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-sql-inj-KGLLsFw8"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-pi-sql-inj-KGLLsFw8",
          "defect": [
            [
              "CSCvt69488"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2020-3339",
    "datePublished": "2020-06-03T17:56:37.568968Z",
    "dateReserved": "2019-12-12T00:00:00",
    "dateUpdated": "2024-11-15T17:10:10.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted