CVE-2021-40861 - OpenCVE

A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Genesys	Intelligent Workload Distribution Manager

Configuration 1 [-]

cpe:2.3:a:genesys:intelligent_workload_distribution_manager:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://docs.genesys.com/Documentation/IWD
https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-12-08T14:58:13

Updated: 2024-08-04T02:51:07.703Z

Reserved: 2021-09-10T00:00:00

Link: CVE-2021-40861

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-08T15:15:10.127

Modified: 2021-12-13T15:08:28.390

Link: CVE-2021-40861

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-12-08T14:58:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.genesys.com/Documentation/IWD"}, {"tags": ["x_refsource_MISC"], "url": "https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-40861", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.genesys.com/Documentation/IWD", "refsource": "MISC", "url": "https://docs.genesys.com/Documentation/IWD"}, {"name": "https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/", "refsource": "MISC", "url": "https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:51:07.703Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.genesys.com/Documentation/IWD"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-40861", "datePublished": "2021-12-08T14:58:13", "dateReserved": "2021-09-10T00:00:00", "dateUpdated": "2024-08-04T02:51:07.703Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:genesys:intelligent_workload_distribution_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CD31329-7CF3-48A9-A24C-8F34C3F24D7C", "versionEndExcluding": "9.0.017.07", "versionStartIncluding": "9.0.013.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine."}, {"lang": "es", "value": "Una inyecci\u00f3n SQL en el componente de consulta de filtro personalizado en Genesys intelligent Workload Distribution (IWD) versi\u00f3n 9.0.017.07, permite a un atacante ejecutar consultas SQL arbitrarias por medio del atributo value, con el que pueden extraerse todos los datos de la base de datos y es posible la ejecuci\u00f3n de comandos del Sistema Operativo dependiendo de los permisos y/o del motor de la base de datos"}], "id": "CVE-2021-40861", "lastModified": "2021-12-13T15:08:28.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-08T15:15:10.127", "references": [{"source": "cve@mitre.org", "tags": ["Product", "Release Notes", "Vendor Advisory"], "url": "https://docs.genesys.com/Documentation/IWD"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}