Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistNozomiCVELIST:CVE-2023-29245
HistorySep 19, 2023 - 10:04 a.m.

CVE-2023-29245 SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0

2023-09-1910:04:57
CWE-89
Nozomi
www.cve.org
1
cve-2023-29245
sql injection
nozomi networks guardian
cmc
input validation
asset intelligence
ids
malicious network packets
dbms security

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS4

9.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

46.4%

JSON

A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, may allow an unauthenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application by sending specially crafted malicious network packets.

Malicious users with extensive knowledge on the underlying system may be able to extract arbitrary information from the DBMS in an uncontrolled way, alter its structure and data, and/or affect its availability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Guardian",
    "vendor": "Nozomi Networks",
    "versions": [
      {
        "lessThan": "22.6.3",
        "status": "affected",
        "version": "22.6.0",
        "versionType": "semver"
      },
      {
        "lessThan": "23.1.0",
        "status": "affected",
        "version": "23.0.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "CMC",
    "vendor": "Nozomi Networks",
    "versions": [
      {
        "lessThan": "22.6.3",
        "status": "affected",
        "version": "22.6.0",
        "versionType": "semver"
      },
      {
        "lessThan": "23.1.0",
        "status": "affected",
        "version": "23.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Related

prion 1
nvd 1
cve 1
ics 1
prion
prion
Sql injection
2023-09-19 11:16:00
nvd
nvd
CVE-2023-29245
2023-09-19 11:16:18
cve
cve
CVE-2023-29245
2023-09-19 11:16:18
ics
ics
Siemens RUGGEDCOM APE1808 Devices
2023-11-16 12:00:00

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS4

9.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

46.4%

JSON
Related for CVELIST:CVE-2023-29245
prion1nvd1cve1ics1