#VU6505 SQL injection in HP Network Automation - CVE-2017-5810

Cybersecurity Help s.r.o.

Published: 2017-05-10

Vulnerability identifier: #VU6505

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-5810

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HP Network Automation
Client/Desktop applications / Software for system administration

Vendor: Hewlett Packard Enterprise Development LP

Description
The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The weakness exists due to insufficient sanitization of user-supplied input processed by the affected application. A remote unauthenticated attacker can send a specially crafted request that contains crafted parameter values and execute arbitrary SQL commands.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable website.

Mitigation
Update to version 10.00.022, 10.11.03 or 10.21.01.

Vulnerable software versions

HP Network Automation: 9.1 - 10.20

External links
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03740en_us

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities HP Network Automation