CVE-2019-15995

Cisco DNA Spaces: Connector SQL Injection Vulnerability

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability in the web UI of Cisco DNA Spaces: Connector could allow an authenticated, remote attacker to execute arbitrary SQL queries. The vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by entering malicious SQL statements in an affected field in the web UI. A successful exploit could allow the attacker to remove the SQL database, which would require the reinstallation of the Connector VM.

Una vulnerabilidad en la Interfaz de Usuario web de Cisco DNA Spaces: Connector, podría permitir a un atacante remoto autenticado ejecutar consultas SQL arbitrarias. La vulnerabilidad se presenta porque la interfaz de usuario web no comprueba correctamente la entrada suministrada por el usuario. Un atacante podría explotar esta vulnerabilidad al ingresar sentencias SQL maliciosas en un campo afectado en la Interfaz de Usuario web. Una explotación con éxito podría permitir al atacante suprimir la base de datos SQL, lo que requeriría la reinstalación de la VM de Connector.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2019-09-06 CVE Reserved
2019-11-26 CVE Published
2023-03-07 EPSS Updated
2024-11-21 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-dna-sqlinjection	2019-12-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Dna Spaces: Connector Search vendor "Cisco" for product "Dna Spaces: Connector"				< 2.0 Search vendor "Cisco" for product "Dna Spaces: Connector" and version " < 2.0"		-		Affected