OpenCVE

A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Avaya	Aura System Manager

Configuration 1 [-]

OR	cpe:2.3:a:avaya:aura_system_manager::::::::
	cpe:2.3:a:avaya:aura_system_manager:10.2:::::::*

No data.

References

Link	Providers
https://download.avaya.com/css/public/documents/101091159

History

Wed, 11 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:avaya:aura_system_manager:10.2:::::::*

Fri, 09 Aug 2024 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Avaya Avaya aura System Manager
CPEs		cpe:2.3:a:avaya:aura_system_manager::::::::
Vendors & Products		Avaya Avaya aura System Manager
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 08 Aug 2024 16:15:00 +0000

Type	Values Removed	Values Added
Description		A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.
Title		Avaya Aura System Manager SQL injection vulnerability
Weaknesses		CWE-89
References		https://download.avaya.com/css/public/documents/101091159
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: avaya

Published: 2024-08-08T16:02:43.125Z

Updated: 2024-08-09T18:21:58.052Z

Reserved: 2024-08-05T07:37:13.538Z

Link: CVE-2024-7477

Vulnrichment

Updated: 2024-08-09T18:21:53.406Z

NVD

Status : Analyzed

Published: 2024-08-08T16:15:09.363

Modified: 2024-09-11T15:03:06.637

Link: CVE-2024-7477

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7477", "assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "state": "PUBLISHED", "assignerShortName": "avaya", "dateReserved": "2024-08-05T07:37:13.538Z", "datePublished": "2024-08-08T16:02:43.125Z", "dateUpdated": "2024-08-09T18:21:58.052Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Aura System Manager", "vendor": "Avaya", "versions": [{"status": "affected", "version": "10.1.x.x"}, {"status": "affected", "version": "10.2.x.x"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A SQL injection vulnerability was found which could allow a command line interface (CLI) user with <span style=\"background-color: rgb(255, 255, 255);\">administrative privileges to execute arbitrary queries against the <span style=\"background-color: rgb(255, 255, 255);\">Avaya Aura System Manager </span>database. \n\nAffected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.\n\n</span> "}], "value": "A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the\u00a0Avaya Aura System Manager\u00a0database.\u00a0\n\nAffected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya", "dateUpdated": "2024-08-08T16:02:43.125Z"}, "references": [{"url": "https://download.avaya.com/css/public/documents/101091159"}], "source": {"defect": ["ZEPHYR-70310"], "discovery": "EXTERNAL"}, "title": "Avaya Aura System Manager SQL injection vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "avaya", "product": "aura_system_manager", "cpes": ["cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "10.1.x.x", "status": "affected"}, {"version": "10.2.x.x", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-09T18:20:16.174969Z", "id": "CVE-2024-7477", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:21:58.052Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7477", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-09T18:20:16.174969Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:*"], "vendor": "avaya", "product": "aura_system_manager", "versions": [{"status": "affected", "version": "10.1.x.x"}, {"status": "affected", "version": "10.2.x.x"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:21:53.406Z"}}], "cna": {"title": "Avaya Aura System Manager SQL injection vulnerability", "source": {"defect": ["ZEPHYR-70310"], "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Avaya", "product": "Aura System Manager", "versions": [{"status": "affected", "version": "10.1.x.x"}, {"status": "affected", "version": "10.2.x.x"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://download.avaya.com/css/public/documents/101091159"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the\u00a0Avaya Aura System Manager\u00a0database.\u00a0\n\nAffected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.", "supportingMedia": [{"type": "text/html", "value": "A SQL injection vulnerability was found which could allow a command line interface (CLI) user with <span style=\"background-color: rgb(255, 255, 255);\">administrative privileges to execute arbitrary queries against the <span style=\"background-color: rgb(255, 255, 255);\">Avaya Aura System Manager </span>database. \n\nAffected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.\n\n</span> ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya", "dateUpdated": "2024-08-08T16:02:43.125Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7477", "state": "PUBLISHED", "dateUpdated": "2024-08-09T18:21:58.052Z", "dateReserved": "2024-08-05T07:37:13.538Z", "assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "datePublished": "2024-08-08T16:02:43.125Z", "assignerShortName": "avaya"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "263DE525-434E-48C3-A891-8CF42C0AEBC8", "versionEndIncluding": "10.1.2", "versionStartIncluding": "10.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:aura_system_manager:10.2:*:*:*:*:*:*:*", "matchCriteriaId": "2D5372F1-A670-44CD-B834-A3126F83F9D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the\u00a0Avaya Aura System Manager\u00a0database.\u00a0\n\nAffected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de inyecci\u00f3n SQL que podr\u00eda permitir que un usuario de interfaz de l\u00ednea de comandos (CLI) con privilegios administrativos ejecute consultas arbitrarias en la base de datos de Avaya Aura System Manager. Las versiones afectadas incluyen 10.1.xx y 10.2.xx. Las versiones anteriores a 10.1 finalizan el soporte del fabricante."}], "id": "CVE-2024-7477", "lastModified": "2024-09-11T15:03:06.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.9, "source": "securityalerts@avaya.com", "type": "Secondary"}]}, "published": "2024-08-08T16:15:09.363", "references": [{"source": "securityalerts@avaya.com", "tags": ["Vendor Advisory"], "url": "https://download.avaya.com/css/public/documents/101091159"}], "sourceIdentifier": "securityalerts@avaya.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "securityalerts@avaya.com", "type": "Secondary"}]}