CVE-2021-26578
Hewlett Packard Enterprise Network Orchestrator uaf-token SQL Injection Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A potential security vulnerability has been identified in HPE Network Orchestrator (NetO) version(s): Prior to 2.5. The vulnerability could be remotely exploited with SQL injection.
Se ha identificado una vulnerabilidad de seguridad potencial en HPE Network Orchestrator (NetO) versiones: anteriores a 2.5. La vulnerabilidad podría ser explotada remotamente con una inyección SQL
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Network Orchestrator. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the connections resource. A crafted uaf-token header can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-02-02 CVE Reserved
- 2021-03-18 CVE Published
- 2023-12-06 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Hpe Search vendor "Hpe" | Network Orchestrator Search vendor "Hpe" for product "Network Orchestrator" | < 2.5 Search vendor "Hpe" for product "Network Orchestrator" and version " < 2.5" | - |
Affected
| ||||||