7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Symantec's Web Gateway management GUI is susceptible to blind SQL injection which could result in the injection of arbitrary code into the backend database.
Product
|
Version
|
Solution
—|—|—
Symantec Web Gateway
|
4.5.x
|
Upgrade to Symantec Web Gateway 5.0.1
Severity
Medium
CVSS2 Base Score: 5.82
Impact 6.4, Exploitability 6.45
CVSS2 Vector: AV:A/AC:L/Au:N/C:P/I:P/A:P
Exploit Publicly Available: No
Details
Symantec was notified of a blind SQL injection vulnerability in the management console of the Symantec Web Gateway Appliance. The interface fails to properly filter/validate external input.
In a normal installation, the affected management interface should not be accessible external to the network. However, an authorized but unprivileged network user or an external attacker who is able to leverage network access could attempt such an attack against the management interface. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input to the backend database.
Symantec Response
Symantec engineers have verified this issue and released an update to address it. This issue is resolved in Symantec Web Gateway 5.0.1 currently available to customers through normal update channels.
Symantec is not aware of any exploitation of, or adverse customer impact from this issue.
Best Practices
As part of normal best practices, Symantec strongly recommends:
This issue was reported by an Anonymous finder through TippingPoint's ZeroDay Initiative.
BID: Security Focus, http://www.securityfocus.com, has assigned a Bugtraq ID (BID) 48318 to this issue for inclusion in the Security Focus vulnerability database.
CVE: This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2011-0549.
CPE | Name | Operator | Version |
---|---|---|---|
symantec web gateway | eq | 4 |