CVE-2023-29245

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-29245
A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, may allow an unauthenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application by sending specially crafted malicious network packets. Malicious users with extensive knowledge on the underlying system may be able to extract arbitrary information from the DBMS in an uncontrolled way, alter its structure and data, and/or affect its availability.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://security.nozominetworks.com/NN-2023:11-01 Vendor Advisory
https://security.nozominetworks.com/NN-2023:11-01 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*
cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*
History

21 Nov 2024, 07:56

Type Values Removed Values Added
References () https://security.nozominetworks.com/NN-2023:11-01 - Vendor Advisory () https://security.nozominetworks.com/NN-2023:11-01 - Vendor Advisory
CVSS v2 : unknown
v3 : 7.4 		v2 : unknown
v3 : 8.1

20 Sep 2024, 11:15

Type Values Removed Values Added
Summary (en) A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, may allow an unauthenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application by sending specially crafted malicious network packets. Malicious users with extensive knowledge on the underlying system may be able to extract arbitrary information from the DBMS in an uncontrolled way, or to alter its structure and data. (en) A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain fields used in the Asset Intelligence functionality of our IDS, may allow an unauthenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application by sending specially crafted malicious network packets. Malicious users with extensive knowledge on the underlying system may be able to extract arbitrary information from the DBMS in an uncontrolled way, alter its structure and data, and/or affect its availability.

28 May 2024, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-09-19 11:16

Updated : 2024-11-21 07:56

NVD link : CVE-2023-29245

Mitre link : CVE-2023-29245

CVE.ORG link : CVE-2023-29245

JSON object : View

Products Affected

nozominetworks

  • guardian
  • cmc
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')