CERTVU:122142Mercator SENTINEL SQL injection allows authentication bypass
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.7%
Overview
Mercator SENTINEL contains an SQL injection vulnerability that could allow an attacker to bypass authentication and access the system with administrative privileges.
Description
Mercator SENTINEL is a flight safety management system. The login form of the web interface contains an SQL injection vulnerability. Please see CERT-NPS:2011:005 for more information.
Impact
An attacker with network access to the SENTINEL web interface could access the system with administrative privileges.
Solution
Upgrade
Credible information indicates that this vulnerability is addressed in SENTINEL version 2.0.1.0.
Restrict access
Restrict access to the SENTINEL web interface to trusted users and networks.
Vendor Information
122142
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Mercator __ Affected
Notified: June 22, 2011 Updated: October 14, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Credible information indicates that this vulnerability is addressed in SENTINEL version 2.0.1.0.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23122142 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 9.7 | AV:N/AC:L/Au:N/C:C/I:C/A:P |
| Temporal | 7.9 | E:F/RL:W/RC:UC |
| Environmental | 2.1 | CDP:LM/TD:L/CR:ND/IR:ND/AR:ND |
References
- <http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-«-sentinel-safety-information-management-system-»/>
- <http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-suite/>
- <http://www.mercator.com/customers/CustMap/customermap.html>
- <http://cwe.mitre.org/data/definitions/89.html>
Acknowledgements
Thanks to CERT-NETPEAS for reporting this vulnerability. Thanks also to ICS-CERT and aeCERT for their assistance.
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2011-1913 |
|---|---|
| Severity Metric: | 1.22 Date Public: |
References
cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-%C2%AB-sentinel-safety-information-management-system-%C2%BB/
cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-suite/
cwe.mitre.org/data/definitions/89.html
www.mercator.com/customers/CustMap/customermap.html
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.7%