MachineName Parameter can be used to Exploit a SQL Injection Vulnerability in App Broker
Symptoms:
A SQL injection vulnerability in App Broker 2018R1 and earlier allows local users to execute arbitrary SQL commands via the MachineName parameter.
Diagnosis:
The machine name sent by the client is not validated, and can be used to deliver SQL commands that would be interpreted by the database engine.
Steps to Reproduce:
Steps to reproduce are not available at this time, as this issue was discovered through a vulnerability scan of App Broker.
Resolution:
This issue has been resolved in App Broker 2019 R1. Please download the latest version of App Broker 2019 R1 from the PLC download area.
Additional Information:
This issue has been tracked under issue number IOJ-1908386.
For release notes and resolved issues in App Broker 2019 R1, please visit:
https://helpnet.flexerasoftware.com/appportal/rn2019r1/AppPortalAppBroker2019r1ReleaseNotes.htm#reso...
Related Documents:
Secunia Research at Flexera has issued an advisory SA88121.
A copy of the advisory is attached to this article.
A copy of the advisory is attached to this article.
No ratings
