Missing Authentication for Critical Function in Sphinx - CVE-2019-14511
Published: January 11, 2022
Vulnerability identifier: #VU59363
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-14511
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Sphinx
Sphinx
Software vendor:
Sphinx Technologies
Sphinx Technologies
Description
The vulnerability allows a remote attacker to gain unauthorized access to the database.
The vulnerability exists due to insecure default configuration in which Sphinx listens on 0.0.0.0 and does not require authentication to be configured. A remote non-authenticated attacker can simply connect to the database and gain full access to information.
Remediation
Install updates from vendor's website.
External links
- http://sphinxsearch.com/docs/sphinx3.html#getting-started-on-linux-and-macos
- https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FPPNZZMWTZOMFGFETMET6YKIH2DQDKS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XD25JJJVM7FFXAO2L3ZG2KXQ6UMFBIA4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSLPW44RWIGHU5AG3P4U2HPSD3UBG4GJ/
- https://sphinxsearch.com/blog/