Missing Authentication for Critical Function in Sphinx - CVE-2019-14511
Published: January 11, 2022
Vulnerability identifier: #VU59363
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-14511
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sphinx Technologies
Affected software:
Sphinx
Sphinx
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to the database.
The vulnerability exists due to insecure default configuration in which Sphinx listens on 0.0.0.0 and does not require authentication to be configured. A remote non-authenticated attacker can simply connect to the database and gain full access to information.
How to mitigate CVE-2019-14511
Install updates from vendor's website.
Sources
- http://sphinxsearch.com/docs/sphinx3.html#getting-started-on-linux-and-macos
- https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FPPNZZMWTZOMFGFETMET6YKIH2DQDKS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XD25JJJVM7FFXAO2L3ZG2KXQ6UMFBIA4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSLPW44RWIGHU5AG3P4U2HPSD3UBG4GJ/
- https://sphinxsearch.com/blog/