CVE-2014-2503

The thumbnail proxy server in EMC Documentum Digital Asset Manager (DAM) 6.5 SP3, 6.5 SP4, 6.5 SP5, and 6.5 SP6 before P13 allows remote attackers to conduct Documentum Query Language (DQL) injection attacks and bypass intended restrictions on querying objects via a crafted parameter in a query string.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2014-06/0037.html
http://packetstormsecurity.com/files/126947/EMC-Documentum-Digital-Asset-Manager-Blind-DQL-Injection.html
http://www.securityfocus.com/bid/67868
http://www.securitytracker.com/id/1030348

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:emc:documentum_digital_asset_manager:6.5:sp3::::::
	cpe:2.3:a:emc:documentum_digital_asset_manager:6.5:sp4::::::
	cpe:2.3:a:emc:documentum_digital_asset_manager:6.5:sp5::::::
	cpe:2.3:a:emc:documentum_digital_asset_manager:6.5:sp6::::::

History

No history.

Information

Published : 2014-06-06 00:55

Updated : 2024-02-04 18:35

NVD link : CVE-2014-2503

Mitre link : CVE-2014-2503

CVE.ORG link : CVE-2014-2503

JSON object : View

Products Affected

emc

documentum_digital_asset_manager

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2014-2503", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-06-06T00:55:04.103", "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2014-06/0037.html", "source": "security_alert@emc.com"}, {"url": "http://packetstormsecurity.com/files/126947/EMC-Documentum-Digital-Asset-Manager-Blind-DQL-Injection.html", "source": "security_alert@emc.com"}, {"url": "http://www.securityfocus.com/bid/67868", "source": "security_alert@emc.com"}, {"url": "http://www.securitytracker.com/id/1030348", "source": "security_alert@emc.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The thumbnail proxy server in EMC Documentum Digital Asset Manager (DAM) 6.5 SP3, 6.5 SP4, 6.5 SP5, and 6.5 SP6 before P13 allows remote attackers to conduct Documentum Query Language (DQL) injection attacks and bypass intended restrictions on querying objects via a crafted parameter in a query string."}, {"lang": "es", "value": "El servidor proxy en miniatura en EMC Documentum Digital Asset Manager (DAM) 6.5 SP3, 6.5 SP4, 6.5 SP5 y 6.5 SP6 anterior a P13 permite a atacantes remotos realizar ataques de inyecci\u00f3n Documentum Query Language (DQL) y evadir restricciones en objetos de consulta a trav\u00e9s de un par\u00e1metro manipulado en una cadena de consulta."}], "lastModified": "2014-06-18T04:32:05.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:emc:documentum_digital_asset_manager:6.5:sp3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FAFF369-27B7-4AC3-B7EE-EEF3301A0F32"}, {"criteria": "cpe:2.3:a:emc:documentum_digital_asset_manager:6.5:sp4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68E91401-70C8-4243-AAB6-1968566E5A92"}, {"criteria": "cpe:2.3:a:emc:documentum_digital_asset_manager:6.5:sp5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26B23E41-DD76-41EB-9BBA-F47F54B1AA96"}, {"criteria": "cpe:2.3:a:emc:documentum_digital_asset_manager:6.5:sp6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B5E3E9B-9BD5-4B1B-B197-C5F1C673134E"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}