CVE-2016-6656 - OpenCVE

An issue was discovered in Pivotal Greenplum before 4.3.10.0. Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In order to exploit this vulnerability the user must have superuser 'gpadmin' access to the system or have been granted GPHDFS protocol permissions in order to create a GPHDFS external table.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pivotal Software	Greenplum

Configuration 1 [-]

cpe:2.3:a:pivotal_software:greenplum:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/94954
https://pivotal.io/security/cve-2016-6656

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2016-12-16T09:02:00

Updated: 2024-08-06T01:36:29.475Z

Reserved: 2016-08-10T00:00:00

Link: CVE-2016-6656

Vulnrichment

No data.

NVD

Status : Modified

Published: 2016-12-16T09:59:00.230

Modified: 2016-12-22T03:00:20.107

Link: CVE-2016-6656

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Pivotal Greenplum 4.3.0.0 to 4.3.9.1 and older versions that are end of life", "vendor": "n/a", "versions": [{"status": "affected", "version": "Pivotal Greenplum 4.3.0.0 to 4.3.9.1 and older versions that are end of life"}]}], "datePublic": "2016-12-16T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Pivotal Greenplum before 4.3.10.0. Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In order to exploit this vulnerability the user must have superuser 'gpadmin' access to the system or have been granted GPHDFS protocol permissions in order to create a GPHDFS external table."}], "problemTypes": [{"descriptions": [{"description": "Code injection vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-20T10:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2016-6656"}, {"name": "94954", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94954"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2016-6656", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pivotal Greenplum 4.3.0.0 to 4.3.9.1 and older versions that are end of life", "version": {"version_data": [{"version_value": "Pivotal Greenplum 4.3.0.0 to 4.3.9.1 and older versions that are end of life"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Pivotal Greenplum before 4.3.10.0. Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In order to exploit this vulnerability the user must have superuser 'gpadmin' access to the system or have been granted GPHDFS protocol permissions in order to create a GPHDFS external table."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Code injection vulnerability"}]}]}, "references": {"reference_data": [{"name": "https://pivotal.io/security/cve-2016-6656", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2016-6656"}, {"name": "94954", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94954"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:36:29.475Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pivotal.io/security/cve-2016-6656"}, {"name": "94954", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94954"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2016-6656", "datePublished": "2016-12-16T09:02:00", "dateReserved": "2016-08-10T00:00:00", "dateUpdated": "2024-08-06T01:36:29.475Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:greenplum:*:*:*:*:*:*:*:*", "matchCriteriaId": "3286813A-D4A4-40DA-9251-6B6ED0D4D8C9", "versionEndIncluding": "4.3.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Pivotal Greenplum before 4.3.10.0. Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In order to exploit this vulnerability the user must have superuser 'gpadmin' access to the system or have been granted GPHDFS protocol permissions in order to create a GPHDFS external table."}, {"lang": "es", "value": "Ha sido descubierto un problema en Pivotal Greenplum en versiones anteriores a 4.3.10.0. La creaci\u00f3n de tablas externas usando el protocolo GPHDFS tiene una vulnerabilidad por la cual se pueden inyectar comandos arbitrarios en el sistema. Para explotar esta vulnerabilidad, el usuario debe tener acceso de superusuario 'gpadmin' al sistema o habersele concedido permisos de protocolo GPHDFS para crear una tabla externa de GPHDFS."}], "id": "CVE-2016-6656", "lastModified": "2016-12-22T03:00:20.107", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-12-16T09:59:00.230", "references": [{"source": "security_alert@emc.com", "url": "http://www.securityfocus.com/bid/94954"}, {"source": "security_alert@emc.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://pivotal.io/security/cve-2016-6656"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}