CVE-2019-1010191 - Vulnerability Details - OpenCVE

marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00282.

Key SSVC decision points have not yet been added.

Vendors	Products
Marginalia Project	Marginalia

Configuration 1 [-]

cpe:2.3:a:marginalia_project:marginalia:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/basecamp/marginalia/pull/73/

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-24T13:10:33

Updated: 2024-08-05T03:07:18.470Z

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010191

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-24T14:15:11.033

Modified: 2024-11-21T04:18:02.417

Link: CVE-2019-1010191

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "marginalia", "vendor": "marginalia", "versions": [{"status": "affected", "version": "< 1.6 [fixed: 1.6]"}]}], "descriptions": [{"lang": "en", "value": "marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6."}], "problemTypes": [{"descriptions": [{"description": "SQL Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-24T13:10:33", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/basecamp/marginalia/pull/73/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010191", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "marginalia", "version": {"version_data": [{"version_value": "< 1.6 [fixed: 1.6]"}]}}]}, "vendor_name": "marginalia"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/basecamp/marginalia/pull/73/", "refsource": "MISC", "url": "https://github.com/basecamp/marginalia/pull/73/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.470Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/basecamp/marginalia/pull/73/"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010191", "datePublished": "2019-07-24T13:10:33", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:18.470Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:marginalia_project:marginalia:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6B3F5B4-54E1-4AF3-865C-FB0178ECD2BC", "versionEndExcluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6."}, {"lang": "es", "value": "La marginalia anterior a la versi\u00f3n 1.6 se ve afectada por: Inyecci\u00f3n de SQL. El impacto es: el impacto es una inyecci\u00f3n de cualquier consulta SQL cuando se agrega un argumento de controlador de usuario como un componente. El componente es: Afecta a los usuarios que agregan un componente que es controlador de usuario, por ejemplo, un par\u00e1metro o un encabezado. El vector de ataque es: Hacker ingresa un SQL a un vector vulnerable (encabezado, par\u00e1metro http, etc.). La versi\u00f3n fija es: 1.6."}], "id": "CVE-2019-1010191", "lastModified": "2024-11-21T04:18:02.417", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-24T14:15:11.033", "references": [{"source": "josh@bress.net", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/basecamp/marginalia/pull/73/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/basecamp/marginalia/pull/73/"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}