Bug 1065396 (CVE-2017-14807)

Summary: VUL-1: CVE-2017-14807: studio: SQL injection in ui-server/app/models/diary_entry.rb
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:planned:update CVSSv2:NVD:CVE-2017-14807:5.5:(AV:N/AC:L/Au:S/C:P/I:P/A:N) CVSSv3.1:NVD:CVE-2017-14807:8.1:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-10-27 07:25:30 UTC
in self.paginated_search sql query is build manually from untrusted input:
      sql += " LOWER(event) LIKE LOWER('#{event.downcase}')"
Event is controlled by the user. 

Example: 
http://192.168.122.76/admin/diary?utf8=%E2%9C%93&authenticity_token=qzFRENODQHjMqJNJ&diary_from=YYYY-MM-DD&diary_to=now&event=logged_in%27)%20or%20(%271%27=%271&commit=Apply+filter

As far as I can see the diary is only accessible to the admin. I'm not sure if in the SUSE studio context 'studio admin' == 'server admin'. If not we should fix it if we do another update for studio.
Comment 1 Johannes Segitz 2020-01-27 08:52:57 UTC
Studio EOL