OpenCVE

A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sophos	Xg Firewall Xg Firewall Firmware

Configuration 1 [-]

AND

cpe:2.3:o:sophos:xg_firewall_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sophos:xg_firewall:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.sophos.com/en-us/security-advisories/sophos-sa-20221201-sfos-19-5-0

History

No history.

MITRE

Status: PUBLISHED

Assigner: Sophos

Published: 2022-12-01T00:00:00

Updated: 2024-08-03T01:20:57.030Z

Reserved: 2022-10-27T00:00:00

Link: CVE-2022-3710

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-01T18:15:10.453

Modified: 2024-11-21T07:20:05.283

Link: CVE-2022-3710

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sophos:xg_firewall_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D6FDEB7-9C9F-4D08-8A83-D0C7B1A4EEC7", "versionEndExcluding": "19.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sophos:xg_firewall:-:*:*:*:*:*:*:*", "matchCriteriaId": "9628D079-44BD-479E-BE63-9BEF824B4E4B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n SQL de solo lectura posterior a la autenticaci\u00f3n permite a los clientes API leer contenidos de bases de datos de configuraci\u00f3n no confidenciales en el controlador API de versiones de Sophos Firewall anteriores a la versi\u00f3n 19.5 GA."}], "id": "CVE-2022-3710", "lastModified": "2024-11-21T07:20:05.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-alert@sophos.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-01T18:15:10.453", "references": [{"source": "security-alert@sophos.com", "tags": ["Vendor Advisory"], "url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20221201-sfos-19-5-0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20221201-sfos-19-5-0"}], "sourceIdentifier": "security-alert@sophos.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}