Post-auth Read-only SQL Injection Vulnerability in Sophos Firewall
CVE-2022-3710
2.7LOW
Summary
A post-auth read-only SQL injection vulnerability exists in the API controller of Sophos Firewall, enabling API clients to access non-sensitive configuration data from the database. Affected versions include all releases prior to 19.5 GA, highlighting the importance of maintaining updated software to mitigate such vulnerabilities.
Affected Version(s)
Sophos Firewall < 19.5 GA
Sophos Firewall < 19.0 MR2
References
CVSS V3.1
Score:
2.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Erik de Jong