CVE-2024-7477

A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.6 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://download.avaya.com/css/public/documents/101091159	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:avaya:aura_system_manager::::::::
	cpe:2.3:a:avaya:aura_system_manager:10.2:::::::*

History

No history.

Information

Published : 2024-08-08 16:15

Updated : 2024-09-11 15:03

NVD link : CVE-2024-7477

Mitre link : CVE-2024-7477

CVE.ORG link : CVE-2024-7477

JSON object : View

Products Affected

avaya

aura_system_manager

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2024-7477", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "securityalerts@avaya.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}]}, "published": "2024-08-08T16:15:09.363", "references": [{"url": "https://download.avaya.com/css/public/documents/101091159", "tags": ["Vendor Advisory"], "source": "securityalerts@avaya.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "securityalerts@avaya.com", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the\u00a0Avaya Aura System Manager\u00a0database.\u00a0\n\nAffected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de inyecci\u00f3n SQL que podr\u00eda permitir que un usuario de interfaz de l\u00ednea de comandos (CLI) con privilegios administrativos ejecute consultas arbitrarias en la base de datos de Avaya Aura System Manager. Las versiones afectadas incluyen 10.1.xx y 10.2.xx. Las versiones anteriores a 10.1 finalizan el soporte del fabricante."}], "lastModified": "2024-09-11T15:03:06.637", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "263DE525-434E-48C3-A891-8CF42C0AEBC8", "versionEndIncluding": "10.1.2", "versionStartIncluding": "10.1"}, {"criteria": "cpe:2.3:a:avaya:aura_system_manager:10.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D5372F1-A670-44CD-B834-A3126F83F9D9"}], "operator": "OR"}]}], "sourceIdentifier": "securityalerts@avaya.com"}