Remote Code Execution Vulnerability in Quest NetVault Backup
CVE-2017-17420

9.8CRITICAL

Key Information:

Vendor: Quest
Status: Quest Netvault Backup
Vendor: CVE Published:; 8 February 2018

What is CVE-2017-17420?

A remote code execution vulnerability is present in Quest NetVault Backup, specifically in version 11.3.0.12. This flaw occurs due to insufficient validation of user-supplied strings in NVBUJobCountHistory Get method requests, which leads to the construction of potentially malicious SQL queries. Attackers can exploit this weakness to execute arbitrary code, compromising the security of the underlying database without the need for authentication. This vulnerability underscores the importance of robust input validation practices.

Affected Version(s)

Quest NetVault Backup 11.3.0.12

References

https://zerodayinitiative.com/advisories/ZDI-17-985

x_refsource_MISC

EPSS Score

19% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2018
Vulnerability Reserved
Dec 5, 2017