Details of VAR-201407-0175

ID

VAR-201407-0175

CVE

CVE-2014-4977

TITLE

Dell SonicWall Scrutinizer In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-003368

DESCRIPTION

Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) selectedUserGroup parameter in a create new user request to cgi-bin/admin.cgi or the (2) user_id parameter in the changeUnit function, (3) methodDetail parameter in the methodDetail function, or (4) xcNetworkDetail parameter in the xcNetworkDetail function in d4d/exporters.php. Dell SonicWALL Scrutinizer is prone to multiple security vulnerabilities, including: 1. A privilege-escalation vulnerability 2. Multiple SQL-injection vulnerabilities Attackers can exploit these issues to perform certain actions with elevated privileges, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. A remote attacker can exploit this vulnerability to execute arbitrary SQL commands

Trust: 1.98

sources: NVD: CVE-2014-4977 // JVNDB: JVNDB-2014-003368 // BID: 68495 // VULHUB: VHN-72918

AFFECTED PRODUCTS

vendor:	sonicwall	model:	scrutinizer	scope:	eq	version:	11.0.1	Trust: 1.6
vendor:	dell	model:	sonicwall scrutinizer	scope:	eq	version:	11.0.1	Trust: 0.8

sources: JVNDB: JVNDB-2014-003368 // CNNVD: CNNVD-201407-365 // NVD: CVE-2014-4977

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-4977
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-4977
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201407-365
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-72918
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-4977
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-72918
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-72918 // JVNDB: JVNDB-2014-003368 // CNNVD: CNNVD-201407-365 // NVD: CVE-2014-4977

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-72918 // JVNDB: JVNDB-2014-003368 // NVD: CVE-2014-4977

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-365

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201407-365

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003368

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-72918

PATCH

title:	Dell SonicWALL Scrutinizer	url:	http://www.dell.com/jp/business/p/sonicwall-scrutinizer/pd?dgc=ST&cid=33282&lid=4254676&acd=10591620522341418	Trust: 0.8
title:	Scrutinizer	url:	http://www.sonicwall.com/us/en/support/6632.html	Trust: 0.8

sources: JVNDB: JVNDB-2014-003368

EXTERNAL IDS

db:	NVD	id:	CVE-2014-4977	Trust: 2.8
db:	PACKETSTORM	id:	127429	Trust: 2.5
db:	BID	id:	68495	Trust: 2.0
db:	PACKETSTORM	id:	137098	Trust: 1.1
db:	EXPLOIT-DB	id:	39836	Trust: 1.1
db:	JVNDB	id:	JVNDB-2014-003368	Trust: 0.8
db:	CNNVD	id:	CNNVD-201407-365	Trust: 0.7
db:	XF	id:	94439	Trust: 0.6
db:	VULHUB	id:	VHN-72918	Trust: 0.1

sources: VULHUB: VHN-72918 // BID: 68495 // JVNDB: JVNDB-2014-003368 // CNNVD: CNNVD-201407-365 // NVD: CVE-2014-4977

REFERENCES

url:	http://packetstormsecurity.com/files/127429/dell-sonicwall-scrutinizer-11.01-code-execution-sql-injection.html	Trust: 2.5
url:	http://www.securityfocus.com/bid/68495	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2014/jul/44	Trust: 1.7
url:	https://gist.github.com/brandonprry/36b4b8df1cde279a9305	Trust: 1.7
url:	https://gist.github.com/brandonprry/76741d9a0d4f518fe297	Trust: 1.7
url:	https://www.exploit-db.com/exploits/39836/	Trust: 1.1
url:	http://packetstormsecurity.com/files/137098/dell-sonicwall-scrutinizer-11.01-methoddetail-sql-injection.html	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/94439	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4977	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4977	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/94439	Trust: 0.6

sources: VULHUB: VHN-72918 // JVNDB: JVNDB-2014-003368 // CNNVD: CNNVD-201407-365 // NVD: CVE-2014-4977

CREDITS

Brandon Perry

Trust: 0.3

sources: BID: 68495

SOURCES

db:	VULHUB	id:	VHN-72918
db:	BID	id:	68495
db:	JVNDB	id:	JVNDB-2014-003368
db:	CNNVD	id:	CNNVD-201407-365
db:	NVD	id:	CVE-2014-4977

LAST UPDATE DATE

2024-11-23T21:45:02.408000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-72918	date:	2018-03-12T00:00:00
db:	BID	id:	68495	date:	2014-07-24T00:09:00
db:	JVNDB	id:	JVNDB-2014-003368	date:	2014-07-17T00:00:00
db:	CNNVD	id:	CNNVD-201407-365	date:	2014-07-17T00:00:00
db:	NVD	id:	CVE-2014-4977	date:	2024-11-21T02:11:12.530

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-72918	date:	2014-07-16T00:00:00
db:	BID	id:	68495	date:	2014-07-10T00:00:00
db:	JVNDB	id:	JVNDB-2014-003368	date:	2014-07-17T00:00:00
db:	CNNVD	id:	CNNVD-201407-365	date:	2014-07-17T00:00:00
db:	NVD	id:	CVE-2014-4977	date:	2014-07-16T14:19:04.370