Lucene search

AvayaCVE-2024-7477

HistoryAug 08, 2024 - 4:15 p.m.

CVE-2024-7477

2024-08-0816:15:09

CWE-89

avaya

web.nvd.nist.gov

cve-2024-7477

avaya aura system manager

sql injection

administrative privileges

arbitrary queries

database vulnerability

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.5%

JSON

A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database.

Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.

Affected configurations

Nvd

Node

avayaaura_system_managerRange10.1–10.1.2

avayaaura_system_managerMatch10.2

VendorProductVersionCPE
avayaaura_system_manager*cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:*
avayaaura_system_manager10.2cpe:2.3:a:avaya:aura_system_manager:10.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
avaya	aura_system_manager	*	cpe:2.3:a:avaya:aura_system_manager::::::::
avaya	aura_system_manager	10.2	cpe:2.3:a:avaya:aura_system_manager:10.2:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Aura System Manager",
    "vendor": "Avaya",
    "versions": [
      {
        "status": "affected",
        "version": "10.1.x.x"
      },
      {
        "status": "affected",
        "version": "10.2.x.x"
      }
    ]
  }
]

References

download.avaya.com/css/public/documents/101091159

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.5%

JSON

Related for CVE-2024-7477