CVE-2023-3864

Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC	Issue Tracking Vendor Advisory
https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:snowsoftware:snow_license_manager:*:*:*:*:service_provider:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:18

Type	Values Removed	Values Added
Summary		(es) La inyección SQL ciega en un servicio, que se ejecuta en el gestor de licencias de Snow Software desde la versión 8.0.0 hasta la 9.30.1 inclusive en Windows, permite a un usuario conectado con privilegios elevados inyectar comandos SQL a través del portal web.
References	~~() https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC - Issue Tracking, Vendor Advisory~~	() https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC - Issue Tracking, Vendor Advisory

Information

Published : 2023-08-11 12:15

Updated : 2024-11-21 08:18

NVD link : CVE-2023-3864

Mitre link : CVE-2023-3864

CVE.ORG link : CVE-2023-3864

JSON object : View

Products Affected

microsoft

windows

snowsoftware

snow_license_manager

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-3864", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@snowsoftware.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2023-08-11T12:15:09.293", "references": [{"url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security@snowsoftware.com"}, {"url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@snowsoftware.com", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal."}, {"lang": "es", "value": "La inyecci\u00f3n SQL ciega en un servicio, que se ejecuta en el gestor de licencias de Snow Software desde la versi\u00f3n 8.0.0 hasta la 9.30.1 inclusive en Windows, permite a un usuario conectado con privilegios elevados inyectar comandos SQL a trav\u00e9s del portal web.\n"}], "lastModified": "2024-11-21T08:18:15.003", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:snowsoftware:snow_license_manager:*:*:*:*:service_provider:*:*:*", "vulnerable": true, "matchCriteriaId": "9D4B877A-8A0A-44AE-8BB2-6861A38FC46E", "versionEndIncluding": "9.30.1", "versionStartIncluding": "8.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@snowsoftware.com"}