Details of VAR-201906-1118

ID

VAR-201906-1118

CVE

CVE-2018-5404

TITLE

Quest Software Kace K1000 Appliance SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-21112 // CNNVD: CNNVD-201906-043

DESCRIPTION

The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data. The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications. QuestSoftwareKaceK1000Appliance is a system management device from QuestSoftware, USA. This product is mainly used for software license management, patch and endpoint security management, software distribution and server monitoring

Trust: 2.88

sources: NVD: CVE-2018-5404 // CERT/CC: VU#877837 // JVNDB: JVNDB-2018-015568 // CNVD: CNVD-2019-21112

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-21112

AFFECTED PRODUCTS

vendor:	quest	model:	kace systems management appliance	scope:	lt	version:	9.0.270	Trust: 1.8
vendor:	quest kace	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	quest	model:	software kace k1000 appliance	scope:	lt	version:	9.0.270	Trust: 0.6

sources: CERT/CC: VU#877837 // CNVD: CNVD-2019-21112 // JVNDB: JVNDB-2018-015568 // NVD: CVE-2018-5404

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-5404
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-5404
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-21112
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201906-043
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-5404
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-21112
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-5404
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-21112 // JVNDB: JVNDB-2018-015568 // CNNVD: CNNVD-201906-043 // NVD: CVE-2018-5404

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2018-015568 // NVD: CVE-2018-5404

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-043

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201906-043

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015568

PATCH

title:	Top Page	url:	https://www.quest.com/	Trust: 0.8
title:	QuestSoftwareKaceK1000ApplianceSQL injection vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/166971	Trust: 0.6
title:	Quest Software Kace K1000 Appliance SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93135	Trust: 0.6

sources: CNVD: CNVD-2019-21112 // JVNDB: JVNDB-2018-015568 // CNNVD: CNNVD-201906-043

EXTERNAL IDS

db:	NVD	id:	CVE-2018-5404	Trust: 3.8
db:	CERT/CC	id:	VU#877837	Trust: 3.8
db:	JVN	id:	JVNVU91210160	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-015568	Trust: 0.8
db:	CNVD	id:	CNVD-2019-21112	Trust: 0.6
db:	CNNVD	id:	CNNVD-201906-043	Trust: 0.6

sources: CERT/CC: VU#877837 // CNVD: CNVD-2019-21112 // JVNDB: JVNDB-2018-015568 // CNNVD: CNNVD-201906-043 // NVD: CVE-2018-5404

REFERENCES

url:	https://support.quest.com/kb/288310/cert-coordination-center-report-update	Trust: 3.0
url:	https://www.kb.cert.org/vuls/id/877837/	Trust: 3.0
url:	https://nvd.nist.gov/vuln/detail/cve-2018-5404	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5404	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5405	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5406	Trust: 0.8
url:	https://support.quest.com/kace-systems-management-appliance/9.1/download-new-releaseshttps://support.quest.com/https://support.quest.com/kb/288310/cert-coordination-center-report-update	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu91210160/index.html	Trust: 0.8

sources: CERT/CC: VU#877837 // CNVD: CNVD-2019-21112 // JVNDB: JVNDB-2018-015568 // CNNVD: CNNVD-201906-043 // NVD: CVE-2018-5404

SOURCES

db:	CERT/CC	id:	VU#877837
db:	CNVD	id:	CNVD-2019-21112
db:	JVNDB	id:	JVNDB-2018-015568
db:	CNNVD	id:	CNNVD-201906-043
db:	NVD	id:	CVE-2018-5404

LAST UPDATE DATE

2024-11-23T21:37:12.158000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#877837	date:	2019-06-03T00:00:00
db:	CNVD	id:	CNVD-2019-21112	date:	2019-07-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-015568	date:	2019-06-17T00:00:00
db:	CNNVD	id:	CNNVD-201906-043	date:	2019-06-06T00:00:00
db:	NVD	id:	CVE-2018-5404	date:	2024-11-21T04:08:45.120

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#877837	date:	2019-06-01T00:00:00
db:	CNVD	id:	CNVD-2019-21112	date:	2019-07-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-015568	date:	2019-06-17T00:00:00
db:	CNNVD	id:	CNNVD-201906-043	date:	2019-06-03T00:00:00
db:	NVD	id:	CVE-2018-5404	date:	2019-06-03T19:29:01.593