CVE-2015-2972 - OpenCVE

Multiple SQL injection vulnerabilities in Sysphonic Thetis before 2.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Sysphonic	Thetis

Configuration 1 [-]

cpe:2.3:a:sysphonic:thetis:*:*:*:*:*:*:*:*

References

Link	Resource
http://jvn.jp/en/jp/JVN19011483/index.html	Vendor Advisory
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000099	Vendor Advisory
http://sysphonic.com/en/thetis/THETIS-SEC-001.html	Vendor Advisory
https://github.com/sysphonic/thetis/commit/1b8234706e1294f41df42f3d1ccb71b983ffbe23
https://github.com/sysphonic/thetis/commit/4ca3f5f486759660b87d7c146f1fdc11264f56eb
https://github.com/sysphonic/thetis/commit/8004ee0c384daae0b28478ff8193d1990c397f57
https://github.com/sysphonic/thetis/commit/842e44f0c2bd7d680430bb89a3bb78fd744961f9
https://github.com/sysphonic/thetis/commit/a61dc72035c7ae0b06f6d7dc8b2a848ffc7db277
https://github.com/sysphonic/thetis/commit/c07e255d2296d50a0bffafaf66a76f8f1b53621f
https://github.com/sysphonic/thetis/commit/ce535a38ec92ff0f98af11ab41a425d1529a31ef
https://github.com/sysphonic/thetis/commit/d9ed965075634ca1a095b480b459c68445ce951d

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2015-07-19T15:00:00

Updated: 2015-07-19T15:57:02

Reserved: 2015-04-07T00:00:00

Link: CVE-2015-2972

JSON object: View

NVD Information

Status : Analyzed

Published: 2015-07-19T15:59:00.087

Modified: 2015-07-20T17:28:26.997

Link: CVE-2015-2972

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-07-15T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in Sysphonic Thetis before 2.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-07-19T15:57:02", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sysphonic/thetis/commit/ce535a38ec92ff0f98af11ab41a425d1529a31ef"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sysphonic/thetis/commit/8004ee0c384daae0b28478ff8193d1990c397f57"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sysphonic/thetis/commit/4ca3f5f486759660b87d7c146f1fdc11264f56eb"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sysphonic.com/en/thetis/THETIS-SEC-001.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sysphonic/thetis/commit/1b8234706e1294f41df42f3d1ccb71b983ffbe23"}, {"name": "JVNDB-2015-000099", "tags": ["third-party-advisory", "x_refsource_JVNDB"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000099"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sysphonic/thetis/commit/d9ed965075634ca1a095b480b459c68445ce951d"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sysphonic/thetis/commit/842e44f0c2bd7d680430bb89a3bb78fd744961f9"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sysphonic/thetis/commit/c07e255d2296d50a0bffafaf66a76f8f1b53621f"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sysphonic/thetis/commit/a61dc72035c7ae0b06f6d7dc8b2a848ffc7db277"}, {"name": "JVN#19011483", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN19011483/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2015-2972", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple SQL injection vulnerabilities in Sysphonic Thetis before 2.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sysphonic/thetis/commit/ce535a38ec92ff0f98af11ab41a425d1529a31ef", "refsource": "CONFIRM", "url": "https://github.com/sysphonic/thetis/commit/ce535a38ec92ff0f98af11ab41a425d1529a31ef"}, {"name": "https://github.com/sysphonic/thetis/commit/8004ee0c384daae0b28478ff8193d1990c397f57", "refsource": "CONFIRM", "url": "https://github.com/sysphonic/thetis/commit/8004ee0c384daae0b28478ff8193d1990c397f57"}, {"name": "https://github.com/sysphonic/thetis/commit/4ca3f5f486759660b87d7c146f1fdc11264f56eb", "refsource": "CONFIRM", "url": "https://github.com/sysphonic/thetis/commit/4ca3f5f486759660b87d7c146f1fdc11264f56eb"}, {"name": "http://sysphonic.com/en/thetis/THETIS-SEC-001.html", "refsource": "CONFIRM", "url": "http://sysphonic.com/en/thetis/THETIS-SEC-001.html"}, {"name": "https://github.com/sysphonic/thetis/commit/1b8234706e1294f41df42f3d1ccb71b983ffbe23", "refsource": "CONFIRM", "url": "https://github.com/sysphonic/thetis/commit/1b8234706e1294f41df42f3d1ccb71b983ffbe23"}, {"name": "JVNDB-2015-000099", "refsource": "JVNDB", "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000099"}, {"name": "https://github.com/sysphonic/thetis/commit/d9ed965075634ca1a095b480b459c68445ce951d", "refsource": "CONFIRM", "url": "https://github.com/sysphonic/thetis/commit/d9ed965075634ca1a095b480b459c68445ce951d"}, {"name": "https://github.com/sysphonic/thetis/commit/842e44f0c2bd7d680430bb89a3bb78fd744961f9", "refsource": "CONFIRM", "url": "https://github.com/sysphonic/thetis/commit/842e44f0c2bd7d680430bb89a3bb78fd744961f9"}, {"name": "https://github.com/sysphonic/thetis/commit/c07e255d2296d50a0bffafaf66a76f8f1b53621f", "refsource": "CONFIRM", "url": "https://github.com/sysphonic/thetis/commit/c07e255d2296d50a0bffafaf66a76f8f1b53621f"}, {"name": "https://github.com/sysphonic/thetis/commit/a61dc72035c7ae0b06f6d7dc8b2a848ffc7db277", "refsource": "CONFIRM", "url": "https://github.com/sysphonic/thetis/commit/a61dc72035c7ae0b06f6d7dc8b2a848ffc7db277"}, {"name": "JVN#19011483", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN19011483/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2015-2972", "datePublished": "2015-07-19T15:00:00", "dateReserved": "2015-04-07T00:00:00", "dateUpdated": "2015-07-19T15:57:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sysphonic:thetis:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE53F446-506C-48F6-8796-6320AEB1F1B2", "versionEndIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in Sysphonic Thetis before 2.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en Sysphonic Thetis en versiones anteriores a la 2.3.0, permite a atacantes remotos ejecutar comandos SQL de forma arbitraria a trav\u00e9s de vectores no especificados."}], "id": "CVE-2015-2972", "lastModified": "2015-07-20T17:28:26.997", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-07-19T15:59:00.087", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "http://jvn.jp/en/jp/JVN19011483/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000099"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "http://sysphonic.com/en/thetis/THETIS-SEC-001.html"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/sysphonic/thetis/commit/1b8234706e1294f41df42f3d1ccb71b983ffbe23"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/sysphonic/thetis/commit/4ca3f5f486759660b87d7c146f1fdc11264f56eb"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/sysphonic/thetis/commit/8004ee0c384daae0b28478ff8193d1990c397f57"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/sysphonic/thetis/commit/842e44f0c2bd7d680430bb89a3bb78fd744961f9"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/sysphonic/thetis/commit/a61dc72035c7ae0b06f6d7dc8b2a848ffc7db277"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/sysphonic/thetis/commit/c07e255d2296d50a0bffafaf66a76f8f1b53621f"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/sysphonic/thetis/commit/ce535a38ec92ff0f98af11ab41a425d1529a31ef"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/sysphonic/thetis/commit/d9ed965075634ca1a095b480b459c68445ce951d"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}