8.4
CVE-2021-4088
- EPSS 1.21%
- Veröffentlicht 24.01.2022 16:15:08
- Zuletzt bearbeitet 21.11.2024 06:36:52
- Quelle trellixpsirt@trellix.com
- Teams Watchlist Login
- Unerledigt Login
SQL injection vulnerability in Data Loss Protection (DLP) ePO extension 11.8.x prior to 11.8.100, 11.7.x prior to 11.7.101, and 11.6.401 allows a remote authenticated attacker to inject unfiltered SQL into the DLP part of the ePO database. This could lead to remote code execution on the ePO server with privilege escalation.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mcafee ≫ Data Loss Prevention SwPlatformepolicy_orchestrator Version >= 11.7.0 < 11.7.101
Mcafee ≫ Data Loss Prevention SwPlatformepolicy_orchestrator Version >= 11.8.0 < 11.8.100
Mcafee ≫ Data Loss Prevention Version11.6.401 SwPlatformepolicy_orchestrator
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.21% | 0.782 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
| trellixpsirt@trellix.com | 8.4 | 1.7 | 6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.