Vulnerability Name:
CVE-2008-2380 (CCN-47494)
Assigned:
2008-12-17
Published:
2008-12-17
Updated:
2017-08-08
Summary:
SQL injection vulnerability in authpgsqllib.c in Courier-Authlib before 0.62.0, when a non-Latin locale Postgres database is used, allows remote attackers to execute arbitrary SQL commands via query parameters containing apostrophes.
CVSS v3 Severity:
5.6 Medium
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
Low
Integrity (I):
Low
Availibility (A):
Low
CVSS v2 Severity:
5.1 Medium
(CVSS v2 Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P
)
4.4 Medium
(Temporal CVSS v2 Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
High
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
Partial
Integrity (I):
Partial
Availibility (A):
Partial
5.1 Medium
(CCN CVSS v2 Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P
)
4.4 Medium
(CCN Temporal CVSS v2 Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
High
Athentication (Au):
None
Impact Metrics:
Confidentiality (C):
Partial
Integrity (I):
Partial
Availibility (A):
Partial
Vulnerability Type:
CWE-89
Vulnerability Consequences:
Data Manipulation
References:
Source: MITRE
Type: CNA
CVE-2008-2380
Source: OSVDB
Type: UNKNOWN
50811
Source: CCN
Type: SA33235
Courier Authentication Library Postgres SQL Injection Vulnerability
Source: SECUNIA
Type: Vendor Advisory
33235
Source: SECUNIA
Type: UNKNOWN
34234
Source: GENTOO
Type: UNKNOWN
GLSA-200903-25
Source: CCN
Type: Courier Web site
Courier-Authlib ChangeLog
Source: CONFIRM
Type: Vendor Advisory
http://www.courier-mta.org/authlib/changelog.html
Source: DEBIAN
Type: DSA-1688
courier-authlib -- SQL injection
Source: CCN
Type: GLSA-200903-25
Courier Authentication Library: SQL Injection vulnerability
Source: CCN
Type: OSVDB ID: 50811
Courier Authentication Library authpgsqllib.c Unspecified SQL Injection
Source: BID
Type: Patch
32926
Source: CCN
Type: BID-32926
Courier-Authlib Non-Latin Character Handling Postgres SQL Injection Vulnerability
Source: XF
Type: UNKNOWN
courier-library-postgres-sql-injection(47494)
Source: XF
Type: UNKNOWN
courier-library-postgres-sql-injection(47494)
Source: SUSE
Type: SUSE-SR:2009:001
SUSE Security Summary Report
Vulnerable Configuration:
Configuration 1
:
cpe:/a:courier-mta:courtier-authlib:0.52:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.53:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.54:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.55:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.56:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.57:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.58:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.59:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.59.1:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.59.2:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.59.3:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.60:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.60.1:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.60.2:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.60.3:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.60.4:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.60.5:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.60.6:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.61.0:*:*:*:*:*:*:*
OR
cpe:/a:courier-mta:courtier-authlib:0.61.1:*:*:*:*:*:*:*
Denotes that component is vulnerable
Oval Definitions
Definition ID
Class
Title
Last Modified
oval:org.opensuse.security:def:20082380
V
CVE-2008-2380
2015-11-16
oval:org.mitre.oval:def:8347
P
DSA-1688 courier-authlib -- SQL injection
2014-06-23
oval:org.mitre.oval:def:18407
P
DSA-1688-1 courier-authlib - SQL injection
2014-06-23
oval:org.debian:def:1688
V
SQL injection
2008-12-20
BACK
courier-mta
courtier-authlib 0.52
courier-mta
courtier-authlib 0.53
courier-mta
courtier-authlib 0.54
courier-mta
courtier-authlib 0.55
courier-mta
courtier-authlib 0.56
courier-mta
courtier-authlib 0.57
courier-mta
courtier-authlib 0.58
courier-mta
courtier-authlib 0.59
courier-mta
courtier-authlib 0.59.1
courier-mta
courtier-authlib 0.59.2
courier-mta
courtier-authlib 0.59.3
courier-mta
courtier-authlib 0.60
courier-mta
courtier-authlib 0.60.1
courier-mta
courtier-authlib 0.60.2
courier-mta
courtier-authlib 0.60.3
courier-mta
courtier-authlib 0.60.4
courier-mta
courtier-authlib 0.60.5
courier-mta
courtier-authlib 0.60.6
courier-mta
courtier-authlib 0.61.0
courier-mta
courtier-authlib 0.61.1
Denotes that component is vulnerable