6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
69.1%
F5 ARX Data Manager 3.0.0 - 3.1.0 contains a SQL injection vulnerability.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command
F5 ARX Data Manager 3.0.0 - 3.1.0 contains an unspecified SQL injection vulnerability.
A remote authenticated attacker may be able to run arbitrary SQL commands against the backend database.
The CERT/CC is currently unaware of a practical solution to this problem. Data Manager 3.x is considered end-of-life by the vendor and will not receive a security fix.
Stop the Service
F5 recommends stopping the Data Manager Service when not in use to mitigate this vulnerability. F5’s SOL15310 document explains how to disable the service.
210884
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: May 14, 2014 Updated: June 17, 2014
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 5.5 | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Temporal | 5.2 | E:F/RL:U/RC:C |
Environmental | 1.4 | CDP:L/TD:L/CR:M/IR:M/AR:L |
Thanks to Andrea Micalizzi (rgod) working with HP’s Zero Day Initiative for reporting this vulnerability to F5.
This document was written by Jared Allar.
CVE IDs: | CVE-2014-2949 |
---|---|
Date Public: | 2014-06-06 Date First Published: |