| Summary: |
VUL-1: CVE-2017-14807: studio: SQL injection in ui-server/app/models/diary_entry.rb |
| Product: |
[Novell Products] SUSE Security Incidents
|
Reporter: |
Johannes Segitz <jsegitz> |
| Component: |
Incidents | Assignee: |
Security Team bot <security-team> |
| Status: |
RESOLVED
WONTFIX
|
QA Contact: |
Security Team bot <security-team> |
| Severity: |
Minor
|
|
|
| Priority: |
P4 - Low
|
|
|
| Version: |
unspecified | |
|
| Target Milestone: |
--- | |
|
| Hardware: |
Other | |
|
| OS: |
Other | |
|
| Whiteboard: |
maint:planned:update CVSSv2:NVD:CVE-2017-14807:5.5:(AV:N/AC:L/Au:S/C:P/I:P/A:N) CVSSv3.1:NVD:CVE-2017-14807:8.1:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) |
|
Found By:
|
--- |
Services Priority:
|
|
|---|
|
Business Priority:
|
|
Blocker:
|
--- |
|---|
|
Marketing QA Status:
|
--- |
IT Deployment:
|
--- |
|---|
in self.paginated_search sql query is build manually from untrusted input: sql += " LOWER(event) LIKE LOWER('#{event.downcase}')" Event is controlled by the user. Example: http://192.168.122.76/admin/diary?utf8=%E2%9C%93&authenticity_token=qzFRENODQHjMqJNJ&diary_from=YYYY-MM-DD&diary_to=now&event=logged_in%27)%20or%20(%271%27=%271&commit=Apply+filter As far as I can see the diary is only accessible to the admin. I'm not sure if in the SUSE studio context 'studio admin' == 'server admin'. If not we should fix it if we do another update for studio.