Novell ZENworks Patch Management Server 6.0.0.52 - SQL injection

2005.10.28

Credit: CIRT.DK Advisory

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2005-3315

CWE: CWE-89

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

The Novell ZENworks Patch Management Server 6.0.0.52 is vulnerable to
SQL injection in the management console.
To being able to exploit this issue the administrator have to
manually created a none-privileged account as minimum, to allow
exploitation.
Fix:
Upgrade to ZENworks Patch Management version 6.2.2.181
(or newer hot fix via your PLUS server) found at http://download.novell.com.
Note:
The 6.0.0.52 CD ISO image was on the Novell download site up until the 2nd
week of September, 2005.
The ZENworks Patch Management CD ISO image that is currently available at
the download site at the
time of this document being published
http://download.novell.com/Download?buildid=5_kRStyf9wU~
ISO Name: ZEN_PatchMgmt_Upd6.2.iso Size: 323.8 MB
(339607552) MD5: aeb244ecdf29c83cb8388fae1a6a1919
A technical description of the vulnerability can be read at:
http://www.cirt.dk

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Novell ZENworks Patch Management Server 6.0.0.52 - SQL injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.