SQL injection in HP Network Automation - CVE-2017-5810
Published: May 10, 2017
Vulnerability identifier: #VU6505
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-5810
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Hewlett Packard Enterprise Development LP
Affected software:
HP Network Automation
HP Network Automation
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.
The weakness exists due to insufficient sanitization of user-supplied input processed by the affected application. A remote unauthenticated attacker can send a specially crafted request that contains crafted parameter values and execute arbitrary SQL commands.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable website.
The weakness exists due to insufficient sanitization of user-supplied input processed by the affected application. A remote unauthenticated attacker can send a specially crafted request that contains crafted parameter values and execute arbitrary SQL commands.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable website.
How to mitigate CVE-2017-5810
Update to version 10.00.022, 10.11.03 or 10.21.01.