Lucene search

NozomiVULNRICHMENT:CVE-2023-22378

HistoryAug 09, 2023 - 8:01 a.m.

CVE-2023-22378 Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2

2023-08-0908:01:57

CWE-89

Nozomi

github.com

cve-2023-22378

authenticated

blind sql injection

sorting

guardian

cmc

improper input validation

arbitrary sql queries

dbms

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS4

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

28.3%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application.

Authenticated users may be able to extract arbitrary information from the DBMS in an uncontrolled way, alter its structure and data, and/or affect its availability.

References

security.nozominetworks.com/NN-2023:2-01

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS4

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

28.3%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2023-22378