CVE-2014-2520

2014-08-2011:17:13

CWE-264

[email protected]

web.nvd.nist.gov

emc

documentum

content server

dql injection

vulnerability

cve-2014-2520

nvd

6.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:C/I:N/A:N

8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.8%

JSON

EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07, when Oracle Database is used, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and read sensitive database content via a crafted request.

Affected configurations

NVD

Node

emcdocumentum_content_serverRange≤6.7sp2

emcdocumentum_content_serverMatch6.0

emcdocumentum_content_serverMatch6.5

emcdocumentum_content_serverMatch6.5sp1

emcdocumentum_content_serverMatch6.5sp2

emcdocumentum_content_serverMatch6.5sp3

emcdocumentum_content_serverMatch6.6

emcdocumentum_content_serverMatch6.7-

emcdocumentum_content_serverMatch6.7sp1

emcdocumentum_content_serverMatch7.0

emcdocumentum_content_serverMatch7.1

CPENameOperatorVersion
emc:documentum_content_serveremc documentum content serverle6.7
emc:documentum_content_serveremc documentum content servereq6.0
emc:documentum_content_serveremc documentum content servereq6.5
emc:documentum_content_serveremc documentum content servereq6.6
emc:documentum_content_serveremc documentum content servereq7.0
emc:documentum_content_serveremc documentum content servereq7.1

CPE	Name	Operator	Version
emc:documentum_content_server	emc documentum content server	le	6.7
emc:documentum_content_server	emc documentum content server	eq	6.0
emc:documentum_content_server	emc documentum content server	eq	6.5
emc:documentum_content_server	emc documentum content server	eq	6.6
emc:documentum_content_server	emc documentum content server	eq	7.0
emc:documentum_content_server	emc documentum content server	eq	7.1