CVE-2020-24623
Hewlett Packard Enterprise Universal API Framework uaf_token SQL Injection Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A potential security vulnerability has been identified in Hewlett Packard Enterprise Universal API Framework. The vulnerability could be remotely exploited to allow SQL injection in HPE Universal API Framework for VMware Esxi v2.5.2 and HPE Universal API Framework for Microsoft Hyper-V (VHD).
Se ha identificado una potencial vulnerabilidad de seguridad en Hewlett Packard Enterprise Universal API Framework. La vulnerabilidad podría ser explotada remotamente para permitir una inyección SQL en HPE Universal API Framework para VMware Esxi versión v2.5.2 y HPE Universal API Framework para Microsoft Hyper-V (VHD)
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Universal API Framework. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the connections resource. A crafted uaf-token header can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-08-25 CVE Reserved
- 2020-09-18 CVE Published
- 2024-08-04 CVE Updated
- 2024-09-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://www.zerodayinitiative.com/advisories/ZDI-20-1208 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Hpe Search vendor "Hpe" | Universal Api Framework Search vendor "Hpe" for product "Universal Api Framework" | < 2.5.2 Search vendor "Hpe" for product "Universal Api Framework" and version " < 2.5.2" | microsoft_hyper-v |
Affected
| ||||||
Hpe Search vendor "Hpe" | Universal Api Framework Search vendor "Hpe" for product "Universal Api Framework" | < 2.5.2 Search vendor "Hpe" for product "Universal Api Framework" and version " < 2.5.2" | vmware_esxi |
Affected
|